Hi, a couple of comments: > --snip--
> htmlentities(htmlspecialchars($_POST['tentry_body'])) . "'"; > --snip-- Why are you using both htmlentities and htmlspecialchars? Think that html only converts some entities while htmlentities converts all ... so, for your purposes, apliying only one could do the job. > > In the archives people suggest that using mysql_escape_string should be > used, I then found that you could globally enable magic_quotes_gpc. > magic_quotes_gpc is a generic way to getting the user data escaped, but is not the recommended way. It's better to have magic_quotes_gpc disabled and use a database specific method for scaping. If you use mysql, I would recommend mysql_real_escape_string. (mysql_escape_string is deprecated since 4.3.0) Best regards, Jordi. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
