textarea to database problem

[gevans]

I've just found a little problem on a bespoke CMS that's about to go live. When adding new content areas through the following form;

 

<form name="add-content-form" id="add-content-form" action="http://localhost/ebp/beta/admin.func.php?do=add&type=content" method="post">
<fieldset id="parent_idfield">
<label for="parent_id">Page:</label>
<select id="parent_id" name="parent_id">
<option>SELECT PAGE</option>
<option value="1">Home</option>
</select>
 <a href="#" title="Information..." onclick="alert('Your new page will be seen in and accessed via the sub navigation of the parent page');return false;">?</a>
<fieldset id="titlefield">
<label for="title">Title:</label>
<input maxlength="44" id="title" type="text" value="" name="title" />
</fieldset>
<fieldset id="subtitlefield">
<label for="subtitle">Sub Title:</label>
<input maxlength="44" id="subtitle" type="text" value="" name="subtitle" />
</fieldset>
<br />
<fieldset id="contentfield" class="yui-skin-sam">
<textarea style="width: 956px;" cols="100" rows="15" id="content" name="content"></textarea></fieldset>
<br />
<fieldset id="submitfield">
<label for="submit"></label>
<input id="submit" type="submit" value="Add Content Area" name="submit" />
</fieldset>
</form>

 

There's a bit of JavaScript omitted that's used to laod the textarea as Yahoo's Rich Text Editor.

 

Once the form is submitted it goes through a validation and cleaning process. The problem text is shown here;

 

'Portsmouth & South East Hampshire'

 

when adding that text the single spaces are stripped from around the '&' resulting in;

 

'Portsmouth&South East Hampshire'

 

This is the code that validates the input, and it has lost the spaces already;

 

if(!isset($_REQUEST['title']) || empty($_REQUEST['title'])){
                $_SESSION['msg'] = TRUE;
                $_SESSION['msg_detail'] = 'title_not_set';
                $_SESSION['msg_type'] = 0;
            } else {
                $title = $CN->input($_REQUEST['title']);
                $subtitle = $CN->input($_REQUEST['subtitle']);
                if(!isset($_REQUEST['content']) || empty($_REQUEST['content'])){
                    $_SESSION['msg'] = TRUE;
                    $_SESSION['msg_detail'] = 'content_not_set';
                    $_SESSION['msg_type'] = 0;
                } else {
                    $content = $CN->input_rte($_REQUEST['content']);    
                    if(!isset($_REQUEST['id']) || !is_numeric($_REQUEST['id'])){} else {
                        $id = $CN->input($_REQUEST['id']);
                        $query = "UPDATE content SET title='$title', sub_title='$subtitle', text='$content' WHERE id='$id'";
                        $result = $DB->query($query);
                        if($result){
                            $_SESSION['msg'] = TRUE;
                            $_SESSION['msg_detail'] = 'content_edited';
                            $_SESSION['msg_type'] = 1;
                        } else {
                            $_SESSION['msg'] = TRUE;
                            $_SESSION['msg_detail'] = 'error_editing_content';
                            $_SESSION['msg_type'] = 0;
                        }
                    }
                }
            }