I'm making a registration form where some input goes into the DB and some not. My page uses utf8. For the data that doesn't goes into the db, I use this function(a sort of htmlspecialchars):
$c = array("'", '"', "/", "<", ">", "$", "%");
$s = str_replace($c, "", $s);
For the db I will use mysqli_real_escape_string. 2 questions by the security point of view and suppose I want to allow symbols and unicode(utf8).
1- For the data that doesnt goes in the db, is it enough the function above ?
2- For the data that goes in the db, is it enought mysqli_real_escape_string or should I use the function above too ? Or something else ?
Thanks.
Update1 Updated after bobince answer.
$c = array("'", '"', "/", "\\", "<", ">", "$", "%", "&");
$s = str_replace($c, "", $s);
Update2 So, to insert in the db I should use realescapestring or prepare. And then escape at every output, that depends on the Platform/Language.
2 Notes:
This way i have to escape many times instead of one, but there are some advantages too...
Php seems pretty strong against little hacks, look like it automatically escape some characters...