It's one thing to write a web based application that provides the functionallity required - and quite another to provide the same application that's ruggedised against malicious users, or those who make plain wrong data entries. One of the best ways to reduce possible injection attacks is to consider each stage of your data handling and look to provide a data or string cleaner as you move your data from a form (where there's one set of special characters involved unde the URL encoding scheme) through strings in memory to a MySQL database (where there are four special characters and they're NOT the same ones), then back to the user as part of the next HTML page, where there's a third form of encoding. This diagram shows how your data flows through, and the PHP functions that you can use to scrub it clean at each stage. Forewarned is forearamed they say - but do be forewarned that this diagram isn't the whole story; you need to consider users who prefix their file names with strings like ../../, visitors to your web site who post unacceptable content, and more.

Show a large image

More about good practise in PHP

Associated topic - PHP - Further Web Page and Network Handling

Next ... random image ... a slide show ... image from list below