Here is what I have now.
$date = mysqli_real_escape_string($dbc, trim(date('Y-m-d',strtotime($_POST['date']))));
I was told that I need to make sure that the $date is safe/legit before passing it to strtotime(). How do I do that? I've looked up http://us3.php.net/strtotime but it really doesn't tell me what I'm looking for I think.
Can someone explain to me in a little better detail how to clean submit to strtotime?
That is by far overkill from what you need to do. The strtotime() function should do all the "validation" you need - either it will return a valid date, or not. After that, you should not need to trim or escape the output from date() - the output is determined by you. Here is what I would do:
$date = strtotime($_POST['date']);
if($date) {
$date = date('Y-m-d', $date);
//do stuff based on valid date
}
else {
//handle invalid date.
}
There's no real reason to sanitize the value beforehand. The worst thing that can happen is that the time isn't valid and strtotime() returns false (which you can also use to check whether the date string was valid).
Also, there's no reason to trim and escape the date( 'Y-m-d' ) function's return value: it will never return values with trailing whitespace or anything that should be escaped.