OK, that title sounds bad if read wrongly.

I have a series of forms and I have regexed them as much as I think is necessary. I would like to know however, if someone would send me a line of code that someone could enter through a text box/textarea, which could show specific data from a db, if security hadn't been added. PM it to me if it is unwise to post publicly.

I am trying to make sure that I haven't leaft a 'door' open to a malicious attack, where I am unable to see there is even the door.

I have regexed out all unnecessary characters from form input and I don't submit it to the db without using placeholders. And I have set permissions on the connection not to allow delete alter or drops. But I can't seem to work out how to prevent an insertion which would allow for a query that outputs db data other than what the form is meant to do.

I want to be sure that someone couldn't, for example, query the db to output either table names or column values.

Any tips or tutorials most welcome.