First of all, I have a html editor that accept input from user. I want to store plain html tags in database and cater for quotes (sql injection) that appear as well.
For example,
$input = "<h1><strong><span style="font-size:36px">I'm waiting</span></h1>";
I need to cater quote only from I'm waiting but not quotes that appear between html tags before storing into database. Any recommended way to do that?
ps: please ignore PDO (or mysqli) with prepared statements in this case.
You should use http://php.net/manual/en/function.mysql-real-escape-string.php to make sure no sql injection can be made against you.