Best way to prevent SQL Injection

I want to ensure no SQL attacks and the entire process of passing/receiving from the dbase is secure. All the security with quote, double quote stuff scares the hell out of me.

I also here stories in a mysql table where people can do things like add:
== droptable
to the end of your script and it deletes the table or something.

I fully understand how people can do SQL injection, just need advice on what is the best way I should prevent it:

My current method (not coded yet, planning first) removes a lot of useability, but I think it will make security very good.

Submitting data to database: (assuming for a message board)
1. Reject if characters entered other than A-Z a-z 0-9 ! . ; , ’ : ) ? £ @ + - = # ^ (i.e cant enter ")
2. use str_replace("\'", "'", $name); to replace the ' with \' (escape it but my method may be a little different)
And obviously reverse it before displaying again.
I cant use the mysql_real_escape_string() as I am using Caspio Bridge Web Services and not MySQL for this project. A database web services API.
I wont use Magic Quotes, addslashes / stripslashes as this is deprecated from php 6

What about htmlentities??

 

Use this function:

function quote_smart($value)
{
    if (is_string($value))$value=trim($value);
    if (get_magic_quotes_gpc()) {
        $value = stripslashes($value);
    }
    if (empty($value)) return "''";
    if (!is_numeric($value)) {
        $value = "'" . mysql_real_escape_string($value) . "'";
    }
    return $value;
}

PHP:

 

Thanks for the reply, but you have obviosuly not read my post.

I stated why I could not use magic_quotes, stripslashes AND mysql_real_escape_string.

 

you can compare the md5's not the strings and you'll be 100% free of sql injection

 

mysql_real_escape_string() is a good solution for MySQl, but as you said you use "not MySQL", the best solution is to use parameterized queries if possible.