Well i seemed to work it out using htmlentities()
However, it's showing up as HTML in the database (which is OK, im just wondering why its doing it)
the value I'm POSTing looks like this
Code: Select all
<input type="hidden" name="message" value="<font color="red">text!</font>">
OK, cool, that's what I expected it to do.
Here's how I'm processing this POST value
Code: Select all
$message = mysql_real_escape_string(me_strip_css(me_strip_js(stripslashes($_POST['message']))));
the functions me_strip_css and me_strip_js is only preg_replace-ing values.
When I submit this form, it shows up in the database as HTML and not the entities that I passed. How come?