How to neutralize inputs that contain html tags?

I mean if someone enters <a>gvfdg</a> it should not开发者_Go百科 show up a link. I've tried htmlspecialchars() but it did not helped. In PHP and MySQL.

mysql_real_escape_string(htmlspecialchars($mesaj));

$sql="INSERT INTO mesaj (Person1, Person2, mesaj)
VALUES ('$currentuser', '$id','$mesaj')";

if (!mysql_query($sql,$link))
{
die('Error: ' . mysql_error());
}
mysql_close($link);

This call

mysql_real_escape_string(htmlspecialchars($mesaj));

won't work: You will need to assign the return value.

$mesaj = mysql_real_escape_string(htmlspecialchars($mesaj));

However, it would be better to store the data in the database in its original form, and do a htmlspecialchars() when you are about to output the data.

I am assuming that you are doing a mysql_real_escape_string() on $currentuser and $idas well!

Maybe you're searching for strip_tags. However, htmlspecialchars() should work, in the sense of converting '<' and '>' into html entities so that aren't parsed by the browser.