Is Php reqular expression secure to insert data into database?

Question

I'm inserting data to db with following validation where I only accept ' and & and @ and . . After that I'm using mysqli_real_escape_string($var) .

So I see it's output is :

I\'m a good boy &@ is it secure var for input to DB.

My Questions :

1) Is there any security issues will appear if I accept ' and & and @ and . ?
2) If it's not security issues then it's insert \\ to db. Is it problem to store data with backslash ?
3) If it's not a problem for security then in user panel data is showing with \\ . So is it need to escape with stripslashes($var); ?

My validation:

$var = "I'm a good boy &@ is it secure var for input to DB.";

if(preg_match("/^[a-zA-Z0-9.'&@ ]+$/", $var) !== 1)
    echo "var is NOT OK.<br/>";
else
    echo "var is ok.<br/>";

mysqli_real_escape_string($link, $var);

Answer 1

1. Is there any security issues will appear if I accept ' and & and @ and . ?
   There will be security issues as a single quote (') is used for SQL Injection

2. If it's not security issues then it's insert \\ to db. Is it problem to store data with backslash ?
   No, there is no problem with storing the data with backslashes, that's how escaping works.

3. If it's not a problem for security then in user panel data is showing with . So is it need to escape with stripslashes($var);?
   Yes, it will cause a problem among display as single quotes will be escaped using a backslash, to display it without a backslash, you can use stripslashes()

All these problems and questions you're mentioning can be simply ignored if you start using prepared statements as it requires no escaping whatsoever, so your database will be SQL Injection-free, there will be no backslashes making your output look bad.