Filtering user input for database queries
I'm currently programming a site with a lot of instances of user input being used in queries to a mySQL database via PHP. I know that I need to filter or validate the user input, but what should I be looking for? I don't have a complete understanding of it, but I have seen mention of certain words - e.g. DROP, TRUNCATE - that should not make their way into a query, so do I need to literally and explicitly screen the user input for those and other specific words? It seems like there should be a more general solution...
Delete this message and repost it to PHP forum for best answers.
Anyway, you first need to ask yourself what value do you expect for each field. Alphabetical? Numerical? How many characters?
You don't screen user input, your script validates it after the form submittion.