Making a TEXT FIELD secure!, how?

[bilis_money]

Ok, i'm  trying to make a search box for my website.
and everything is working fine.

now at the moment of testing and looking for holes i notice that
when i type these ~, !, @, #, $, %, ^, &, *< (), (, ., *.* and etc.
it produces error messages or will display all the records and etc.

now i know that this is not intended to do this way but i think this is one of the holes that a cracker can exploit.

I'm was thinking if this can be solve by using stripslashes() or related with this? I'm hoping that you can give me advice on this, on how to remove this problem.


Thank you very much in advance.

[Jocka]

mysql_escape_string
http://us2.php.net/mysql_escape_string

mysql_real_escape_string
http://us2.php.net/manual/en/function.mysql-real-escape-string.php

[bilis_money]

so which is the most effective?

[corbin]

[quote]
Description
string mysql_escape_string ( string unescaped_string )


This function will escape the unescaped_string, so that it is safe to place it in a mysql_query(). This function is deprecated.

This function is identical to mysql_real_escape_string() except that mysql_real_escape_string() takes a connection handler and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting.
[/quote]

It pretty much is sayin that _real_escape is the newer version...