Does mysql_real_escape_string() escape HTML character entities? I want people on my comment board to be able to post quotes in their comments, but they get escaped as raw ascii, so I run them through htmlentities() first, but it doesn't help. I only get it to work when I remove mysql_real_escape_string(), like this:
nl2br(strip_tags(/*mysql_real_escape_string(*/htmlentities($_POST["comment"],ENT_QUOTES)))/*)*/. Is this expected?
Hi.
It shouldn't do that, no.
You code works like expected on my server.
Using the following code:
$comment = $_POST['comment'];
if(get_magic_quotes_gpc()) $comment = stripslashes($comment);
echo nl2br(strip_tags(mysql_real_escape_string(htmlentities($comment,ENT_QUOTES))));The following string: He said: "What's up?" Is converted into : He said: "What& #039;up?" (Added a space in the single-quote HTML char. The forum would show it correctly otherwise.)
Just as expected.
I would question the need to convert them into HTML entities tho.
The mysql_real_escape_string function should make sure all quote-marks are safely inserted into the query, which should allow you to show them in your HTML without problems.
Personally I wouldn't alter the comment at all before inserting them into the database, other than using the mysql_real_escape_string function of course. I would prefer to do that when I present the data.
You never know if you need to change the way the data is displayed, and having the data in it's original form will make that easier.
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.