If you do any PHP programming that includes writing data to or reading data from a database, then it’s important to keep an eye on how you are entering data into your database; you don’t know what your users intentions are, and while most of them just want to use your site as intended, some users could have more malicious intentions. You shouldn’t enter data directly as the user enters it, for a couple of reasons.
1) SQL injection attacks
One of the more common types of attack. If the user enters SQL code into a field, that code will be run. The easiest way to guard against this is to use the function ‘mysqli_real_escape_string’; this will escape any special characters used in SQLqueries ( for example, single quotes), this will prevent the user from adding in additional SQL statements that will be run (in the example above,it will be treated as one big text string that will be entered into the name column of the database, rather than a separate SQL command.
2) Cross-site scripting attack
These are just a couple of basic things that you can do to protect your website; there is a lot more information online, starting with PHP’s own website; a quick google search will give you a number of resources to make your site even more secure.