Hi there,
I am trying to decide on a rational way to keep my web app reasonably secure from attack but also to handle awkward characters ( such as ampersand, quotes, forward/backslashes etc) in string data properly. I have got myself confused, so any (helpful) comments would be welcomed!

Assume the next line is entered by a user in a form text field...(as writ)
Mr O'Reilly & my mate "Jim"

so this gets posted to the server, and ends up in $foo=$_POST(['myformvar'];

Question - has it got mangled by the time it gets into $foo already?
If so, how to stop it?

Now to store $foo into my table...

I assume I need to escape the data before trying to insert it into the MySQL table? so
$foo= addslashes($foo) ;

now i can put it into MySQL by enclosing in single-quotes with something like this..
$sql= "UPDATE `mytable` myfield1='.$foo.' WHERE ID=1"

and the whole string should end up stored properly in the table ? because I escaped it first?

When I extract the data and put it back in $bar...
$sql = "SELECT myfield1 FROM `mytable` WHERE ID=1";
(plus php code stuff to run the query, put the result field back into variable $bar )


so now I need to $bar= stripslashes($bar); or otherwise any comaprisons I make with user data will not work?
and then carry on with code, comparisons etc...

Is this right. please?
Does it boil down to rules:
1) "must addslashes to ALL string fields before putting into table,
2) must IMMEDIATELY stripslashes on ALL string data coming out of a table, before using it

Please comment.. sorry it's rather a long post!

thanks
Chris