I am writing a forum system, and I would like to know what things I need to do to the data before I put it in mysql, so that the given data won't be a problem. I know that quotes are a problem, but I don't know what else is. Also, if you could explain the best way to parse the string I would be grateful.
Use the mysql_escape_string() function. There's also something called mysql_real_escape_string() but it's currently only available in the dev version of PHP. I have no idea what's different between them. There's a feature called "magic_quotes" in the php.ini file that's supposed to take care of escaping quotes for you. However, it doesn't seemed to be used all the time (or maybe I'm just a sucky observer) so I leave it off and do all the checking with my own functions. Those two functions I mentioned first don't escape the "_" and "%" characters for some unknown reason, which I'm going to post a new thread about shortly. EDIT - Let's just pretend I can write here, folks 😉.
If your database will be storing any HTML code, and you don't want it rendered on the browser, you should wrap any results that contain HTML code inside the htmlspecialchars() function.
That one's fresh in my head, I dealt with it last week.
