Is it necessary to validate a name or street address? when I have it coded in the following format. And if so why?
$address = mysqli_real_escape_string($mysqli, htmlentities($_POST['address']));
$name = mysqli_real_escape_string($mysqli, htmlentities($_POST['name']));
htmlspecialchars/htmlentities/etc in your database - do it directly before display in HTML/XML/etc documents.blah blah <>DAS#^^2@@vm/.,czc, then this code looks fine.How many names or addresses do you know of that contain a '$' or '%'? There are simple checks you can perform to check for users being stupid. Usually a name will only contain word characters (and sometimes with a comma and period if they are a Jr, Sr, etc) and an address will only contain alphanumeric characters (unless they abbreviate, in which case a period might be included). It's not necessary, but personally I would put in checks so you don't end up with users just entering random BS just to be funny (that's one of my pet peeves, sorry).
You seem a bit mixed up there because you have 2 means of escaping data and none of filtering when the rule is FIEO Filter Input Escape Output
Filtering:
if YOU DECIDE that a "name" can only be upper and lower case letters, be between 2 and 50 characters long and can contain dashes and single quotes (') then you should either:
remove anything not matching your own definition example above (using regular expressions maybe) OR abort the operation
Depending on how kind you want to be to your user/potential cracker
filter_var() is also very useful in this scenario.
Escaping
You escape the data in readiness for the next environment the data is headed for;
If its to go into a database then you'd use your mysqli_real_escape_string(), if you are echoing to the screen in html then use htmlentities() and so on.
HTH
