How do I stop unwanted characters?

[codeboy89]

Here is my snippet for a comments form, below. I am trying to only allow a-z and 0-9, it works fine. But the problem is if the user types @ or < or other characters it will remove them from the form but they still end up in the database. Is there a way to fix this problem? Can I only allow numbers, letters, and whitespace into the database with phpmyadmin or is there something I am missing?

 

<textarea name="comment" rows="10" cols="35" /><?php echo htmlentities(preg_replace('/[^A-Za-z0-9\s]/', '', $saved_comment), ENT_QUOTES); ?></textarea>

[Alex]

Just preform the same functions on the data before inserting it into the database. You should also be using mysql_real_escape_string() on all data being passed into mysql_query().

[codeboy89]

how would i work that into this?

 

$comment = mysql_real_escape_string(strip_tags($_POST['comment']));

[Alex]

$comment = mysql_real_escape_string(strip_tags(htmlentities(preg_replace('/[^A-Za-z0-9\s]/', '', $_POST['comment']))));

[codeboy89]

thank you very much for solving my issue Alex!

[Alex]

Np, just remember to always mark topics as solved once the issue has been resolved. There's a button on the bottom left to do so.