To stop SQL Injection you should use:
For numeric/integer values:
$foo = intval($foo);www.php.net/intval
And for any other data:
$foo = mysql_real_escape_string($foo);www.php.net/mysql_real_escape_string
Do never ever trust the user or think "Nah, they won't do or try this". You can also use preg_* functions to filter the input for what it needs to be.
For example if you only want to allow characters from a-z you can do:
$foo = preg_replace('/[^a-z]/i', null, $foo);www.php.net/preg_replace
Or if you have a select for example, and you want to make sure the submitted value exists in the select, do something like:
$allowed_values = array('foo', 'bar', 'etc');if (!in_array($_POST['select'], $allowed_values)){ // Handle error}
