Is
$username = $_POST['username'];
$sanitizedUsername = strip_tags(stripcslashes($username));
enough to prevent malacious sql injections and other types of attacks. If not what else should I use?
P.S. I want to allow users to choose usernames and passwords that contain alphanumeric, space and symbol characters (except those like quotes or asterisks that are used in mysql statements).
When you insert into the database, use:
mysql_real_escape_string($_POST['username']);
When you are outputting to HTML, use:
htmlspecialchars($_POST['username']);
Use string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )
If you'r environment allows it, always use parametrized queries to avoid SQL injection http://pl.php.net/manual/en/mysqli.prepare.php