I'm working on a couple of pages to manage data coming from a textarea which the user can use to write some content through a basic editor WYSIWYG. In this textarea I abilitate few tags. I'm wondering if the following process is going to be enough to protect myself from spam and other hidden dangers related to sql query injection and so on.
My steps
function string_db ($value) 
{ 
   $value = (get_magic_quotes_gpc()) ? stripslashes($value) : $value; 
   return mysql_real_escape_string($value); 
} 
$content = string_db(trim($_POST['conten']));
$content = strip_tags($content, '<p><a><b><u><i>'); // The 5 tags allowed
$content = str_replace("<", "", $content);
$content = str_replace(">", "", $content); //In case someone try to type html entities instead of html code
//INSERT DATA IN DB
On the page where I display the data previously saved in the db I use:
echo html_entity_decode($contentFromDb);
Is this enough? IS there a list of tests to do in order to prove the effectiveness?
Thanks a lot
 
                        
You should use PHP's PDO functionality instead. Using this you create prepared statements, which will help eliminate SQL injection vulnerabilities.
In the above example, we connect to the database and set the database handle as
$DBH. Then we prepare our query and use unnamed placeholders (the?s). Next we bind our PHP variables to the unnamed placeholders. Finally, we set our variables and execute the query. This can be repeated with new values, simply by changing the data in the PHP variables.