To help counter SQL injections you need to make sure that entered values use minimum character types as possible. So you restrict usernames to just a-z and 0-9 characters.
To test for these, use something like :
//——————————————————
/**
* Purpose : Check input for paticular characters
* Only allow a – z, A – Z , 0-9
* returns true if a match was found, false if no match was found
* @return boolean
*/
function is_valid_input($words) {
if ( preg_match( “/[^0-9a-zA-Z]/”, $words, $array ) )
return false; //invalid characters
else
return true; //valid characters
}