So if I could broaden the question and ask, in general, what people recommend for pre-processing data before it goes into a SQL statement.
For escaping, I recommend an escaping function specific to your database. These exist for most popular databases. As a last resort, you can escape with addslashes(), but only if your database doesn't have a native escaping function and also escapes things like single and double quotes with a backslash.
htmlentities()
This is an escaping function for HTML, not SQL. For HTML, I think it's the best. :-)
Hope that helps.
Chris
-- Chris Shiflett Brain Bulb, The PHP Consultancy http://brainbulb.com/
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
