Reply To: PHP Quotes Within MYSQL results

[__]

I think this is how mysql injections happen.

Same idea, but different arena: this is HTML injection (better known as XSS (Cross-Site Scripting)).*

* side note: it’s not PHP that is doing the “interpreting,” here. PHP just prints it. After that, we’re worried about how the browser interprets it.

You need to encode the quotes, so they are displayed as quotes (and not interpreted as delimiters). Read up on htmlspecialchars, particularly the usage of the various flags.