I must mention first of all. Im newbie in php, so pls understand me.
I have a difficult with that form..
<form action="something.php" method="get">
<input type="text" name="something">
<input type="submit" value="send">
In "something.php" i have that line of code:
<?php
$something = $_GET["something"];
?>
When i write in html form, <a href="#">asdqw</a> for example, it's show me exactly that code...
Understand me.. Im newbie on that, and i want to learn..
I want to encode that, if somebody write that characters < , > , $ , ^ etc, and to display something else, cuz i dont want to affect me.
I want to mention, i use and database. What i write in that form, will be saved in database, and will be showed in another page, but and in url bar like: "http://some-site.com/page.php?something=something" . I hope to understand me, and forgive me for my bad language. Im romanian, and i dont want to use translator.
Use htmlspecialchars():
$something = htmlspecialchars($_GET['something'], ENT_QUOTES | ENT_HTML5);
You should use this method for outputting data in a HTML context.
If you want to save the data into your database, you should rather use MySQLi and Prepared Statements or PDO.
Here is a very nice answer showing important information about edge cases of Prepared Statements/PDO and MySQLi::real_escape_string(): SQL injection that gets around mysql_real_escape_string()