Wildhoney (the guy who made the threads haris pointed you to) and I are some of the best PHP programmers on the forum, however our coding styles are miles apart. Here are the methods I use, I find them simpler. Both methods work, use whichever you like best.
use
SELECT * FROM `table_name` WHERE `field` = '1'
opposed to
SELECT * FORM table_name WHERE field = '1'
That way all you have to do is clean the query, otherwise harmless commands that the sptintf method takes out will be escaped and harmless. I find it simpler, although both work.
To clean SQL, run all GET, POST and cookie data though this function
PHP Code:
function sql_safe($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not integer
if (!is_numeric($value) || $value[0] == '0')
{
$value = mysql_real_escape_string($value);
}
return $value;
}
For passwords, use sha1, one way encryption can never be hacked (but sha1("a"); will always render the same result).
I have a example on my portfolio that has a user system on it,
http://justanotherportfolio.com/example.php