Can some please explain to me in detail what is the best way to setup a script when getting data from a user from a form that in then going to be sumbitted into a mysql database. I have read as much as I can find and I get about 95% of it but it seems to be different in different articles I read. I want to know what is the best way.
Should I leave magic quotes on? Do I turn them off and use addslashes.
What about htmlspecialchars? Should I also do that to every variable the user inputs?
This is a function I wrote for filtering the text with addslashes but I think I should remove it if magic quotes is on... correct?
function filter_text ($var)
$var = trim($var);
$var = htmlspecialchars($var);
$var = addslashes($var);
What about getting the data back out of the database? If magic quotes is on do I do nothing or do I have to stripslashes?
Please help straighten this out for me. If you have function you use for filtering text can you please post the code or tell me what I should do with mine.