I am trying to secure my site so I’m not vulnerable to sql injection or xss.

Here’s my code:

//here's the form (abbreviated)
<form>
<label for="first_name" class="styled">First Name:</label>
<input type="text" id="first_name" name="first_name" value="<?php if (!empty($first_name)) echo $first_name; ?>" /><br />

//submit button etc
</form>


if (isset($_POST['submit'])) {

 //gets rid of extra whitesapce and escapes
 $first_name = mysqli_real_escape_string($dbc, trim($_POST['first_name']));

 //check if $first_name is a string
 if(!is_string($first_name)
 { 
 echo "not string"; 
 }

 //then insert into the database. 
 .......

}

mysqli_real_escape_string: I know that this function escapes certain letters like \n \r, so when the data gets inputted into the dbc, would it have ‘\’ next to all the escaped letters?

• Will this script be enough to prevent most sql injection? just escaping and checking if the data is a string. For integers values(like users putting in prices), i just: is_numeric().

• How should I use htmlspecialchars? Should I use it only when echoing and displaying user data? Or should I also use this when inserting data to a database?

• When should I use strip_tags or htmlspecialchars?

So with all these functions:

if (isset($_POST['submit'])) {

 //gets rid of extra whitesapce and escapes
 $first_name = mysqli_real_escape_string($dbc, trim($_POST['first_name']));

 //check if $first_name is a string
 if(!is_string($first_name)
 { 
 echo "not string"; 
 }

 //gets rid of any <,>,&
 htmlspecialchars($first_name);

 //strips any tags with the first name
 strip_tags($first_name)

 //then insert into the database. 
 .......

}

Which functions should I use for sql injection and which ones should I use for xss?

When can a user insert xss scripts against me? When there is a form?