Validating user inputs on the server is really a "must do".

Before processing any user inputs, make sure they contain only valid characters and nothing else. Then pass the validated input to the sql query via mysql_real_escape_string. There is no need for stripslashes in this case

Thanks, can you tell me what kind of things I should validate on, I've got a textarea where people can fill in lots of text. I dunno what hackers would use to hack it.

This is a popular page showing how hackers can use sql injection to corrupt or at least get data from an unprotected database.

But validating data is not only about helping ward off attacks. It's also about maintaining the integrity of the data in your database. For example, if the data in a database table column should only contain letters then you should validate that user input and reject any user input for that column that contains characters other that letters.

Whatever you do, don't fall into the trap of validating user inputs only on the client side using javascript because it can very easily be bypassed by switching off javascript in the browser.