Home › Forums › Other › Can someone recommend a customizable contact form, please? › Reply To: Can someone recommend a customizable contact form, please?
For HTML, use the
htmlspecialchars function. This turns
' into their html entity equivalents.
For SQL, it depends on what SQL engine you’re using, and how you’re using it. The best approach -assuming you’re using a MySQL database- is to use the PDO or MySQLi extensions, which support prepared statements: you write the query first, with placeholders for the data, and then provide the data separately. This way, MySQL cannot possibly confuse the two.
validation()-type function, you should not sanitize anything. Validation and sanitization are separate things. Validation depends on what the data is supposed to be (e.g., a name, email address, amount of money, etc.), while sanitization depends on what you’re doing with it. There is no one-size-fits-all solution.