NEONecd999

Yeah this is all for an admin panel, so only an admin will have access to this. Thanks for your help, mysql_real_escape_string() worked great.

I have a form with a text area where users can input an HTML code. That is then stored in a field of a mysql table. On another page, this HTML code must be selected from the table and echoed, so that the processed HTML code is what will appear in the browser. Problem is, there are symbols in the HTML code, such as single quotation marks, that will kill the syntax of the mysql UPDATE statement and allow for mysql injection attacks. To avoid this, i usually put "htmlentities($content, ENT_QUOTES)" instead of simply "$content" into the MySQL statement. However, if I do this, when I SELECT the info to output in another HTML page, it is not processed by the HTML, as all HTML symbols have been translated into their character codes... So which PHP functions should I use to encode and decode my content (in this case HTML code) to suit this scenario? Thanks.

fantastic, thank you.

Hi, I have a text area input that is submitted in a form. I had the issue that when someone submitted a ' (single quote) symbol in the text area, the php/mysql syntax would think that that was the closing quote of the text field (SET fieldname= 'John's pizzeria'), causing a syntax error. To fix this, i put an "htmlencode()" around the $_POST variable before running it in mySQL to update (a MEDIUMTEXT field). This worked well. Now I'd also like to preserve line breaks inputted into the text area. As it is now, if you include two line breaks, those line breaks seem to be preserved in the mysql field, but when you call the field and echo it into HTML, the line breaks are gone. What is the best way to encode my text area so that I don't have syntax problems (and risk mySQL injection attacks) as well as maintain formatting things like line breaks? Thanks.