mysql_real_escape_string [uk3.php.net]

dc

I have found the php code htmlspecialchars. I really like this as it does what I want on Guestbook comments. However, in other forms, I recommend using the <br> to go to the next line. The problem is that htmlspecialchars put's the data into the datase so that when the data is pulled onto a web page, the data shows the <br> and doesn't break right.

Geez, I have been doing alot of reading on this and you have to worry so much about hacker codes. I want something that works but will not make my database prone to hacking.

Matt

htmlspecialchars and htmlentities convert html characters to coded characters that will render them in the browser. For example, if you have some html like this:

<p>This, <br>, is a line break in HTML

It is going to print out like this in your browser:

This, 
, is a line break in HTML

However, if you were to use the htmlspecialchars version of the same:

<p>This, &lt;br&gt;, is a line break in HTML

It is going to look like this in your browser:

<p>This, <br>, is a line break in HTML

The html special characters are encoded so that your browser doesn't read them and think they are HTML that should be rendered and displayed as such.

If you use htmlspecialchars to put that data into your database then yes, it is going to come out as "plain text" looking in your browser rather than rendered HTML. The safe way to store data in MySQL is using the function that dreamcatcher advised.

Thanks. I've done ALOT of reading this week and finally got mysql_real_escape_string to work!