Welcome to WebmasterWorld Guest from 220.127.116.11
update ... values(foo=´".$textareaname."´);
I have to validate the $textareaname variable so it won't set illegal chars that would generate a mySQL command syntax error (i.e. ' )...
The user is supposed to be able to insert HTML code into the field so it will be generated in "his" page...
Help me pleaaase!
The html code of course will not be 'executed'. If you want their html code to actually be exectuted, and are not concerned about how the page presentation may be affected, then addslashes()& StripSlashes() is the way to go.
malicious SQL code
A user might insert malicious SQL code into your form. This is solved by escaping backslashes, null-bytes and single quotes with the addslashes function. If magic_quotes_gpc is on then PHP will automatically escape those characters in all data from GET and POST actions and from COOKIEs.
malicious HTML code