I have a project to "better code" a page when data is entered by a visitor into a guestbook comment and then into a db. I want to make sure the info is not html and will prevent any sql injection.

The guestbook comment does use a capatcha. I have created a badwords filter for the comments section. A sampling code reworked a bit - written is below. The whole file will be given to the programmer selected.

$v1=mysql_real_escape_string(stripslashes($_POST['name']));
$v2=mysql_real_escape_string(stripslashes($_POST['comment']));
$v3=$_POST['sdate'];
$v4=$_POST['value'];
$v5=date("F j, Y");

$sql="SELECT * FROM table where value2=\"$value\" AND gname=\"$v1\" AND value8=\"$v3\"";
$result = mysql_query($sql,$connection) or die("Couldn't connect to members database at this time from member_thank_you. Sorry for the inconvenience. Please try again later.<br>");
$num=mysql_numrows($result);
if($num !=0)
{$er=$er+1;
echo "<center><font size='-1' color='red'>You have already left a comment.</font></center><br>";}

if (trim($name)==NULL)
{$er=$er+1;
echo "<center><font size='-1' color='red'>You must enter your name.</font></center><br>";}

if (trim($comments)==NULL)
{$er=$er+1;
echo "<center><font size='-1' color='red'>You must enter your comments.</font></center><br>";}

if (strlen($comments)>499)
{$er=$er+1;
echo "<center><font size='-1' color='red'>Your comments must be less than 500 characters.</font><br></center>";}

$insert=mysql_query("INSERT INTO table values (\"\", '$v1', '$v2', '$todaydate', '$v3')") or die ("Could not insert data because of error");

* You must complete the work within 48 hours upon agreement.
* You must be able to do and complete the work and page must function as described above..