In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?

Question

I am working on a form with the possiblity for the user to use illegal/special characters in the string that is to be submitted to the database. I want to escape/negate thes

Answer 1

First of all, you should sanitize things when displaying, not before inserting into the database. SQL injections are another story, but probably off-topic.

Second, if you don't need your users to be able to post HTML at all, htmlspecialchars is all you need. It takes care of all the special characters in HTML.