Ok I am writing a set of functions for validating form input and also cleaning input supplied by the user to a php script.

The forms are validated client side first - but all validation is repeated server side as you should never rely on client side validation as it can be disabled or worked around.

The actual validation itself is fairly simple and I have it figured....what I really have questions about is the text cleaning.

Input is going to be used to query a mySQL database so one of the obvious things I want to protect against is SQL injection. Also some input might be stored in the database and then outputted to a HTML page at a later stage so I want to ensure that a person can not insert additional code (HTML / PHP / Javascript) along with their input.

So far I have it :

1. Checking if magic quotes is off if it is it adds slashes
2. strip_tags
3. htmlspecialchars

is there anything else I should be doing to ensure no unwanted nasties get added into my DB? Anyone think of anything else?

ta

v_Ln