Encoding & Decoding HTML when working with MySQL

[NEONecd999]

I have a form with a text area where users can input an HTML code. That is then stored in a field of a mysql table.

 

On another page, this HTML code must be selected from the table and echoed, so that the processed HTML code is what will appear in the browser.

 

Problem is, there are symbols in the HTML code, such as single quotation marks, that will kill the syntax of the mysql UPDATE statement and allow for mysql injection attacks. To avoid this, i usually put "htmlentities($content, ENT_QUOTES)" instead of simply "$content" into the MySQL statement. However, if I do this, when I SELECT the info to output in another HTML page, it is not processed by the HTML, as all HTML symbols have been translated into their character codes...

 

So which PHP functions should I use to encode and decode my content (in this case HTML code) to suit this scenario?

 

Thanks.

[GingerRobot]

So which PHP functions should I use to encode and decode my content (in this case HTML code) to suit this scenario?

 

Dont. Use mysql_real_escape_string

 

However, you might want to consider what you're allowing through - unless this is something hidden away in an admin area, someone could use things like script tags and you'll end up in a whole heap of trouble.

[NEONecd999]

Yeah this is all for an admin panel, so only an admin will have access to this.

 

Thanks for your help, mysql_real_escape_string() worked great.