Hey, While thinking about web design I thought of an extra security idea. This may have been done, but for those that haven't thought of it they might like it. I was thinking instead of just blocking out sql injection through form data and special characters the process could be taken a step farther. You could create a table called 'infractions' in your database. Then when ever you allow a user to type in form data you could run some checks on it to see if they've used illegal characters or script like text. If there's a match you can send the users name, ip, and the alleged string to the table. This way you aren't loosing track of those that may have tried to cause a security issue. You could have tabs on them and they wouldn't really know. If they broke any outright rules you could cross reference them with your infraction table and see if they've tried to cause major security risk through script like text on your site. If so you can take appropriate action. Either just penalize them for the rule breaking, or deem them of too great of a risk and block them outright. This will add extra security for your own site, and give you a bit of extra piece of mind over your users.
Thing is invalid characters might be desirable as data, so that's not really an answer. The proper answer is to use prepared queries when you have user input being sent to a query. That's the be-all end-all of it. Wasting time escaping values yourself or worrying about injections were SUPPOSED to go the way of the dodo eight years ago when php 5 dropped; shame most people still have their heads wedged up their backside on actually USING mysqli or PDO, and are still sleazing out code using the 'insecure by design' mysql_ functions, even with the giant red warning boxes telling people to stop doing that. Between the connection being global in scope and no auto-sanitization method - much less the idiocy of passing query and data at the same time - the mysql_ functions and it's kin should be relics of the past.