Is your name Kai, too? Cool.
Just remove all that crap and use the database specific escaping function. I assume you are using MySQL, so, something like:
Code: Select all
$username = mysql_real_escape_string($_POST['username'],$link);
mysql_query("SELECT a FROM b WHERE c = '$username'");
Forget strip_tags(), it does not help you in terms of security. Maybe in some really rare cases. The same applies to trim(). Forget it. Addslashes() is just a general way to escape data, but it is not sufficient and the database specific function must be used.
Also, remember to enclose values within quotes. For example, in the above code I enclosed the $username value within single quotes. This is necessary.