Now, I'm ussing this function to escape the variables I use in MySQL queries:
function escape($texto) {
$texto = trim($texto) ;
$texto = htmlspecialchars($texto) ;
return $texto ;
}
And It seems it works well (If it isn't secure, say me, please!).
The problem is when I want to insert HTML code in the DB, I have tried with mysql_real_escape_string() but " and ' are \" and \' when I show the html later and I must do something like:
$html = str_replace("\\'", "'", $html);
$html = str_replace("\\\"", "\"", $html);
But I think this shouldn't be the best way to do it. What do you think? any other way to do it?