BetterPHP

uhshosting wrote:should mysql_real_escape_string be used on all text fields besides ones that are integer only in that case use (int)

Yes

uhshosting wrote:what is the proper syntax for mysql_real_escape_string in a form such as

uhshosting wrote:aswell as int as in

$email = mysql_real_escape_string($_POST['email']);
$zip = (int)$_POST['zip'];

This should be done after validation.

uhshosting wrote: ALSO i have validation for them would that eliminate SQL injection already? ( i doubt the email validation would prevent SQL injection but the Zip mostly)

Exactly right, the email validation could still allow mysql control characters, but the zip one which limits to numbers and spaces would not. Saying that a space could cause a mysql error

UPDATE `table` SET `zip` = 12 364 WHERE `id` = 12

would cause a syntax error I think, but no harm can come from it, just wont work right.

This may relevant/helpful. You judge.

In HTML5, the email and I think integer values to the input type attribute were added, so it makes sure if they were typed correctly.
You could validate with that knowledge.

Not exactly.

        $email = mysql_real_escape_string($_POST['email']);
        $fname = mysql_real_escape_string($_POST['fname']);
        $lname = mysql_real_escape_string($_POST['lname']);
        $phone1 = mysql_real_escape_string($_POST['phone1']);
        $phone2 = mysql_real_escape_string($_POST['phone2']);
        $commodity = mysql_real_escape_string($_POST['commodity']);
        $mattype = mysql_real_escape_string($_POST['mattype']);
        $quantity = mysql_real_escape_string($_POST['quantity']);
        $price = mysql_real_escape_string($_POST['price']);
        $manutime = mysql_real_escape_string($_POST['manutime']);

all of this escaping should be done by the add_user() function which you should pass all of the variable to instead of relying on $_POST from within the function.