Best ways to sanitize user submitted content? [duplicate]

Question

Possible Duplicate:
PHP: the ultimate clean/secure function

I am working on an experimental social networking site in PHP. So, there will be a lot of user submitted data sent to the database.

I had coded a custom block script a while back, that would just block certain characters or keywords from being submitted. This worked, but it had it's list of problems.

I heard addslashes and mysql_real_escape_string will do this, but I don't want to do anything until I get some solid advice.

I tried addslashes, and it will add slashes to can't, don't, etc. I don't want that.

I just want my database to be safe from xss, html, php, and javascript attacks. Any advice?

Answer 1

• prepared statements from PDO
• filter_var() functions
• htmlspecialchars()

---

For people who don't know PHP or find documentation about functions:

• prepared statements - will provide protection against SQL injections ( but not against extreme stupidity )
• filter_var() - will let you make sure that data really us an URL or email address , etc.
• htmlspecialchars() - converts characters like < , > and & into html entities, thus, protecting against XSS.

I really fail to see the need for explanation here.