Avoid php hackers from forms

please i want to know how to avoid hacker from hacking my website using forms

i wrote only in the post:

htmlspecialchars($_POST['first_name']);

notice that i made validation using javascript to my form…
but hackers can make sql statment to delete my DB or any type of hacking…

but my question is : can the code htmlspecialchars avoid hacking from forms?? or how to avoid it??

how to stop hackers or avoid them from hacking my website??

Even if a value being inserted in a database table is numeric, you should enclose the value in quotes in your insert or set sql statement. It doesn’t matter that the database table column type is some sort of numeric type. You can still enclose the numeric value in quotes in you sql statement.

I agree with guido2004 that you should validate all user inputs server side because javascript is too easy to switch off in a browser by the user and so js validation is easily bypassed.

You have to do all validation server side. Client side validation (JS) is an extra, but you still have to do all validation server side.

To prevent MySQL injection, you can use PDO , or sanitize all user input yourself before using it in a query by passing all string values (values that in your query are put between quotes) through mysql_real_escape_string(), and checking all numeric values by casting them with (int).