I am working on the form security (learning curve for me); understanding that there is no such thing as 100% secure input, I am reading on the subject.

Meanwhile, I am implemening some validation, to avoid (within reason) passing a script - see (example I used in the form passing variables to search mysql table below;

if( eregi('opendir', $search)) die("invalid characters!");
if( eregi('fwrite', $search)) die("invalid characters!");
if( eregi('fopen', $search)) die("invalid characters!");
if( eregi('fread', $search)) die("invalid characters!");
if (!eregi("^[a-zA-Z0-9]{0,64}$", $search)) die("too many characters!.");

(I have everything in separate lines for better visual reference for me);

How effective would things like these be?

Why not just make use of the mysql_real_escape_string (http://www.php.net/mysql_real_escape_string/) function?

Unless you are going to be passing user input to the eval (http://www.php.net/eval) function, there are no security risks in accepting php functions as valid input.

I am not sure: I need this for a search function, where people can search for long sentences that might include different special characters, not just simple username/password or other small string...

I am not sureThe thug is right, escaping the user input will stop any adverse effects on your database. After this you are only dealing with the results of a select query which of course is known data.