I know this is a very basic question, thats why I just want a simple answer please, there is several ways to my user input safe for mysql.
Is using this the BEST method
mysql_real_escape_string()
On all user submitted items going into a mysql query?
If I use the above, do I need to use another function on that date when I get it back from mysql to show on a PHP page?
mysql_real_escape_string() or prepared statements going into the db.htmlentities() on any data generated by an end user when displaying on a page.Please note that htmlentities will not handle every possible cross-site scripting attack depending on the user's browser and the particular attack vector they used. Many individuals use a sanitization library like HTML Purifier to cleanse their data prior to displaying it on a page.
PHP has a very good filter Function
http://php.net/manual/de/ref.filter.php
/*** use a callback filter to mysql_real_escape_string ***/
$answer = filter_input(INPUT_POST, "answer", FILTER_CALLBACK, array("options"=>"mysql_real_escape_string"));
/*** create an sql query ***/
$sql = "INSERT INTO quiz (answers) VALUES ('{$answer}')";
/*** echo the query ***/
echo $sql;
Using prepared statements is the best way to put data into MySQL. Prepared statements explicitly tells MySQL what is SQL and what is data, so MySQL won’t execute any SQL in the data.
You can get started with prepared statements with Mysqli.
As for showing the data in your PHP pages, you can use htmlspecialchars() to escape your output.