Hiya,
There's lots that you can and probably should do to user submitted content - I'll list a few off the top of my head, with a brief explanation of why - obviously some of these may not be needed depending on the level of trust you have with whoever is punching the stuff in:
addslashes() - yep sure, that will stop some of your sql syntax errors
striptags() - I'm assuming here you don't want your users chucking HTML into your pages - if you do, then use the optional argument to specify which ones are allowed - for example:
$apples = strip_tags($apples, '<p><br><i>');
(note you don't need to specify the trailing tag as well - PHP can figure that one out for you!) more information here:
http://www.php.net/manual/en/function.strip-tags.php
use regular expressions to allow only the information you want. ie bar everything then let in only what is acceptable.
For example this will allow only the alphabet and numbers, spaces and a dash:
$strSearch = eregi_replace("[a-zA-Z0-9 -']", "", $strSearch);
Explicitly state what form the data is in using settype(). If your expecting a string then set it as such:
settype($strSearch,"string");
likewise for an integer etc.
more information here:
http://www.php.net/manual/en/function.settype.php
You didn't mention what database you're using, so I'll assume MySQL - if so, don't accept // (which is used as a comment) or, if you're using MSSQL bar -- which is used in the same manner.
My main concern in all the above, is protecting your db against SQL Injection attacks - one can never be tooo paranoid ;-)
Oh, and as chriskl points out - make sure the data is in the right format for your database design...
Have a nice day
/s
