The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums Other Can someone recommend a customizable contact form, please? Reply To: Can someone recommend a customizable contact form, please?


@TheDoc or @Paulie_D, I have another lost post (in this thread; made this morning). Can anyone rescue it?


For HTML, use the htmlspecialchars function. This turns <, >, &, ", and ' into their html entity equivalents.

For SQL, it depends on what SQL engine you’re using, and how you’re using it. The best approach -assuming you’re using a MySQL database- is to use the PDO or MySQLi extensions, which support prepared statements: you write the query first, with placeholders for the data, and then provide the data separately. This way, MySQL cannot possibly confuse the two.

For a validation()-type function, you should not sanitize anything. Validation and sanitization are separate things. Validation depends on what the data is supposed to be (e.g., a name, email address, amount of money, etc.), while sanitization depends on what you’re doing with it. There is no one-size-fits-all solution.