How do you deal with escaping characters? Im sending variables to a php page from Flash using POST. Some of these variables contain large amounts of text gathered from user input into multiline dynamic texboxes, with apostrophes etc.
basically i need to kno what is the way to treat these POST variables so they are safe from malicious injection attacks, but also so all things get escaped properly, then inserted into the database properly so that when the variables are pulled back out, they work in flash.
Currently, to deal with the possibility the user may have pressed Enter or Return while typing their message, i have used mysql_real_escape_string(), then mysql_real_escape_string() on the already escaped variable. this returns something like
. the reason for this is because when i actually execute the INSERT into MySQL, one of the slashes magically disappears - so the correct
gets entered.
BUT - now if the user uses an apostrophe - then the double escaping produces \’ or something like that which is totally wrong…
my server has that magic_quotes thing turned on and i cant turn it off, im not sure if this is part of the issue.
Could someone well versed in PHP+MySQL please explain how to treat POST variables so that all characters that should be escaped are escaped properly, and all return/enter characters are entered into the database as "
" or “\r” instead of actual returns which then breaks when its spat back out…
Heres an example of the data that would be sent thru POST in the message variable
"This is a test.
See there's a newline.
Here's another one. Also there was an apostrophe or two..."
this is what *should *get inserted into the database
"This is a test.
See there\'s a newline.
Here\'s another one. Also there was an apostrophe or two..."
Help would be appreciated muchly 
