I am wondering, if given an input from the user (a password and username), could you just check to see if someone entered a special character such as *, ', \, /, or " and just trivially reject the input and not allow those characters as valid?

Or is that what is meant by being cleaned?

Also, I was wondering, if some spcial characters are necessary, couldn't you do an entity replace like html does?

Just my two cents, I am still learning security issues myself when it comes to sql.

Cleaning variables is easy.

$clean_username = mysql_escape_string($_POST['username']);
$clean_password = mysql_escape_string($_POST['password']);

that will escape all the nasty little \'s, ''s, "'s, etcetera for you.

What everyone is trying to nail is that you need to filter, and then escape data before it enters the database.

If you only want to allow usernames with alphabetic and number characters, you would need to check that's exactly what the user did (otherwise they could be sending you anything!).

if(!ctype_alnum($_POST['username'])) {
echo 'bad username'; // or do something else to let user know
}

Then you need to escape this variable before sending it to the database, this help prevent SQL Injections where SQL or other special characters can be inserted into your SQL for some effect - sometimes to read, or write additional data you never intended.

$sql['username'] = mysql_real_escape_string($_POST['username']);
// do SQL statement here using $sql['username']

Important to note mysql_real_escape_string() is recommended over mysql_escape_string(). Also note there is an mysqli_* variant when using PHP5 instead of PHP4. Just a little extra "i" on all mysql functions for PHP5 and any MySQL version above 4.0.

If you want have more fun on security read http://forums.devnetwork.net/viewtopic.php?t=38810 .