I have a search form thats going to be searching for information from a database. Thats all fairly simple but my question has to do with preventing SQL Injection...

Should I:
A) Use javascript so when a user clicks search <>!#@$&%).' all get stripped from the form, then submit the information thats left;
-or-
B) Just use PHP to strip_tags() the value of the form;

Which would be easier? I'm thinking the PHP, but also which would be more efficient?

If I did do PHP, it would prevent SQL Injection right? I'm not a big fan of nerds who have fun with forms... lol

You use addslashes() or mysql_real_escape_string() to prevent SQL injection, not strip_tags(). strip_tags() prevents XSS attacks.

And JavaScript provides very little protection because any semi-intelligent attacker will be able to get around it very easily by sending data directly to the form's target, so using B with addslashes or mysql_real_escape_string is the correct approach.

I have a search form thats going to be searching for information from a database. Thats all fairly simple but my question has to do with preventing SQL Injection...

Should I:
A) Use javascript so when a user clicks search <>!#@$&%).' all get stripped from the form, then submit the information thats left;
-or-
B) Just use PHP to strip_tags() the value of the form;

Which would be easier? I'm thinking the PHP, but also which would be more efficient?

If I did do PHP, it would prevent SQL Injection right? I'm not a big fan of nerds who have fun with forms... lol

Do it server side, period.

If you are using MySQL, then use the real_escape_string, PHP.net have a little function that you can just grab...

http://php.net/manual/en/function.mysql-real-escape-string.php

Definitely go server-side. Client side is just way to "hackable." Anybody can send a request to your mail server, which means they don't have to use the HTML page you've given them.

Thanks! Appreciate the help!

No problem mate. Good luck. ;)