Does mysql_real_escape_string() escape HTML character entities? I want people on my comment board to be able to post quotes in their comments, but they get escaped as raw ascii, so I run them through htmlentities() first, but it doesn't help. I only get it to work when I remove mysql_real_escape_string(), like this:

nl2br(strip_tags(/*mysql_real_escape_string(*/htmlentities($_POST["comment"],ENT_QUOTES)))/*)*/

. Is this expected?

Hi.

It shouldn't do that, no.

You code works like expected on my server.
Using the following code:

$comment = $_POST['comment'];
if(get_magic_quotes_gpc()) $comment = stripslashes($comment);

echo nl2br(strip_tags(mysql_real_escape_string(htmlentities($comment,ENT_QUOTES))));

The following string: He said: "What's up?" Is converted into : He said: "What& #039;up?" (Added a space in the single-quote HTML char. The forum would show it correctly otherwise.)

Just as expected.

I would question the need to convert them into HTML entities tho.
The mysql_real_escape_string function should make sure all quote-marks are safely inserted into the query, which should allow you to show them in your HTML without problems.

Personally I wouldn't alter the comment at all before inserting them into the database, other than using the mysql_real_escape_string function of course. I would prefer to do that when I present the data.
You never know if you need to change the way the data is displayed, and having the data in it's original form will make that easier.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.