Validation + Real Escape?

[torque]

I am wondering what the standards are for this.If you real escape your form input data do you need to validate the entry?Everytime I try to use validation options it seems to decrease user friendliness.Nothing is posted directly to the site it gets filtered by a person first. Is this just too old-fashioned or is it a suitable circumstance to leave out the validation?I appreciate your thoughts!

[boen_robot]

The only thing mysql(i)_real_escape_string() does is to prevent SQL injection attacks. Nothing more and nothing less.SQL injection attack is when an attacker tries to use a field to influence the whole of your SQL query, thereby forcing it to do stuff it wasn't meant to do, potentially giving away useful information in the process.Other kinds of validation include what you allow in the database for various other reasons. For example, you may want to make sure that an "email" field contains a valid email that you could at least try to contact. If it doesn't contain a valid email, you may end up letting an attacker perform "mail header injection attack"... similar to an SQL injection, only instead of getting control of an SQL query, an attacker gets control of an SMTP server, potentially sending SPAM emails, or worse yet - presenting himself as you, and luring people into typing their passwords on another site.The only way you can be sure that you're "hacker free" (or at least "almost" hacker free) is to validate all of your user input, and decline anything that doesn't fit expectations. Of course, for the sake of user experience, you should have good error messages, fill out the form fields as they were, etc.

[torque]

That makes sense. Thanks.I will work on that.