Does mysql_real_escape_string() escape HTML character entities? I want people on my comment board to be able to post quotes in their comments, but they get escaped as raw ascii, so I run them through htmlentities() first, but it doesn't help. I only get it to work when I remove mysql_real_escape_string(), like this:

nl2br(strip_tags(/*mysql_real_escape_string(*/htmlentities($_POST["comment"],ENT_QUOTES)))/*)*/

. Is this expected?

Hi.

It shouldn't do that, no.

You code works like expected on my server.
Using the following code:

$comment = $_POST['comment'];
if(get_magic_quotes_gpc()) $comment = stripslashes($comment);

echo nl2br(strip_tags(mysql_real_escape_string(htmlentities($comment,ENT_QUOTES))));

The following string: He said: "What's up?" Is converted into : He said: "What& #039;up?" (Added a space in the single-quote HTML char. The forum would show it correctly otherwise.)

Just as expected.

I would question the need to convert them into HTML entities tho.
The mysql_real_escape_string function should make sure all quote-marks are safely inserted into the query, which should allow you to show them in your HTML without problems.

Personally I wouldn't alter the comment at all before inserting them into the database, other than using the mysql_real_escape_string function of course. I would prefer to do that when I present the data.
You never know if you need to change the way the data is displayed, and having the data in it's original form will make that easier.

This article has been dead for over six months. Start a new discussion instead.