Use of Quotes in Form Element values

I have created a Textarea control. The data 开发者_运维百科entered in this control goes to a database when Submit is clicked. However, when the user types single quotes while entering value in this control and clicks Submit, data does not go to the database.

How can I allow users to enter special characters like this while entering data in the form?

When inserting data in a query, you have to escape them with mysql_real_escape_string() (if mysql database). This protects you from SQL Injections.

mysql_query("INSERT INTO table(col) VALUES('".mysql_real_escape_string($data)."')");

When showing data in form elements, you have to escape them like this with htmlspecialchars() function. This protects you from XSS.

<textarea><?php echo htmlspecialchars($data, ENT_QUOTES); ?></textarea>