Here I am again... Anybody can help me? I have a mySQL db that needs to be updated form a browser anywhere (with some PHP aid)...so I need to validate a textarea input like
update ... values(foo=´".$textareaname."´);
I have to validate the $textareaname variable so it won't set illegal chars that would generate a mySQL command syntax error (i.e. ' )... The user is supposed to be able to insert HTML code into the field so it will be generated in "his" page...
If I remember correctly - you might like also to look at htmlspecialchars() which will encode any html as their entity counterparts.
The html code of course will not be 'executed'. If you want their html code to actually be exectuted, and are not concerned about how the page presentation may be affected, then addslashes()& StripSlashes() is the way to go.
There are really two problems that you need to address:
malicious SQL code A user might insert malicious SQL code into your form. This is solved by escaping backslashes, null-bytes and single quotes with the addslashes function. If magic_quotes_gpc is on then PHP will automatically escape those characters in all data from GET and POST actions and from COOKIEs.