How much sanatization does this form input need?

Is

$username = $_POST['username'];

$sanitizedUsername = strip_tags(stripcslashes($username));

enough to prevent malacious sql injections and other types of attacks. If not what else should I use?

P.S. I want to allow users to choose usernames and passwords that contain alphanumeric, space and symbol characters (except those like quotes or asterisks that 开发者_如何学运维are used in mysql statements).

When you insert into the database, use:

mysql_real_escape_string($_POST['username']);

When you are outputting to HTML, use:

htmlspecialchars($_POST['username']);

If you'r environment allows it, always use parametrized queries to avoid SQL injection http://pl.php.net/manual/en/mysqli.prepare.php

Use string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )

http://www.php.net/mysql_real_escape_string