My PHP script is letting HTML injections, how do i prevent it?

[angel1987]

Here is the code that i am using to accept data and display the data.

 

To accept and add it in database i am using :

$comment = $_POST['txtcomment'];
$comment = @mysql_real_escape_string($comment);

 

To display the data from DB i am using :

$comment = $rowscomment['comment'];
<?php echo nl2br($comment); ?>

 

Please help me correct it....... I am still learning PHP.

 

 

[Adam]

htmlspecialchars - the order is important though, because if you apply htmlspecialchars() after nl2br() you'll convert the br tags to entities too:

 

echo nl2br(htmlspecialchars($comment));

[rwwd]

$comment = mysql_real_escape_string(strip_tags($_POST['txtcomment']));

 

Rw

[angel1987]

Thanks for the answers,

htmlspecialchars()

worked.

 

But is there anything else that i need to know? Just as an information to prevent issues related to other special characters that might be used for HTML or SQL injections or just to mess with the applications?

 

I need the script to function perfectly, so is there anything i need to add while adding or displaying the data? Thanks again.

[Faks]

$comment = trim($_POST['txtcomment']);

helps avoiding if somebody trying to screw with empty table spacings and etc related it  sow go read