I have read and understood that when I use mysql queries that I need to use mysql_real_escape_string() to protect my database from injection.

I have a contact form on my page. Users enter in name, email, phone, and comments in separate fields. The form passes the data into email_sent.php using the post method.

On that php page, I simple send an email using php and the information that was in the fields from the contact page. I do not use any sort of escape strings for this. Do I need to?

I didn't think I did because my database is untouched. I don't connect to my database in this way. I am just using php.

Any thoughts on this?

On a side note, I've been getting some weird emails from someone. Random letters are typed into the fields, and the comment box was filled with random links (I am afraid to click on them). Not sure what is going on there either!

That got me thinking about mysql injection.

Thank you.