If i use the addslashes() function for ALL queries on my database (such as login), does that mean that my site is completely secure from SQL injections and other threats or is this only the start of it.
Use mysql_real_escape_string() .. addslashes() is deprecated. Yes it should make your stuff protected from SQL injections.
You could use mysql_real_escape_string; or addslashes. But if you use addslashes, also add an htmlspecialchars() (well, that's what I usually do)
In case you are using MySQL, your site will be more secure with mysql_real_escape_string() - it is good for strings. For numbers (e.g. ID's in database) is better intval(), because is much more faster.
Obviously, that's what it's there for. You will be happy you did. <?php require_once 'includes/conf.inc.' . $phpex; $var = $_POST['foo']; $var = mysql_real_escape_string($var); $insert_id = mysqli_query(...) or die(...); //See? ?> PHP:
You could also create some custom functions that do "the essentials" for most of your inputs. For instance: function clean_str($input) { $output = strip_tags($input); $output = trim($output); $output = mysql_real_escape_string($output); return $output; } Code (markup): I use that for strings that I want to make sure don't have any tags inserted in them, or could be the subject of sql injections. Obviously, it assumes you already have a db connection open when calling the function, and you want to strip tags too.