Correct way of processing user input strings in SQL and PHP?

ikramjamu

New Member
I have designed a comment system. This is what I am basically doing.\[code\]$story=$_POST['story'];$story=mysql_real_escape_string($story);$query = "INSERT INTO `comment` VALUES('$story')";\[/code\]Now the problem is when i store the comment all the \[code\]"\[/code\] are replaced by \[code\]\"\[/code\] and all the \[code\]'\[/code\] are replaced by \[code\]\'\[/code\]. So when I display the comments back these \[code\]\\[/code\] also show up in the comment.Another problem is that \[code\]&\[/code\] disappears. eg: if user comments \[code\]I & you\[/code\] only \[code\]I\[/code\] is stored into the database.In fact in few cases comments don't even enter the database. What is the correct way of processing & storing user comments so that you can display them back as written originally?PS: I am not worried about sql injection. I just want comments to show up the way they were entered.
 
Back
Top