Junk Data Found After Data Input Through Editor

[yoursanjay]

I have been facing a problem with data input through text editor (same problem for maximum opensource text editor)I have to insert content into mysql database and the content has the output in the HTMl format. I use both of the htmlspecialchars() and mysql_real_escape_string expression to provide security at the time of Data input.I have seen that if there is "", or ' in the content, the content can't be inserted otherwise it is ok. The same code some times go perfectly in the differerent server.I generally use like

$x = htmlspecialchars($_REQUEST['content']);

or

$x = mysql_real_escape_string($_REQUEST['content']);

or

$x = htmlspecialchars(mysql_real_escape_string($_REQUEST['content']));

My question: is the problem for server related while some times I didn't get any error in some servers and never in localhost.When I get the output in the HTML format, there I always find some junk data like 'rn' and every time can not render ' & " sign. In the HTMl I always find some others like <br>, the URL or link changes always and some % sign also.Please Help.

[student101]

htmlspecialchars — Convert special characters to HTML entities'&' (ampersand) becomes '&' and so on...I haven't ever used the one above.mysql_real_escape_string - Escapes special characters in a string for use in a SQL statementmysql_real_escape_string or mysql_escape_string depending on PHP version.Oh wait magic_quotes might be enabled on your server;TRY:

stripslashes($_REQUEST['content']);

[Synook]

If magic quotes are enabled, the best option is to disable them - http://www.php.net/manual/en/security.magi...s.disabling.php. Note that htmlspecialchars() doesn't protect against SQL injection, it protects against XSS.