Well, this is the code I use for my forum:
Preparation, before inserting it into the database:
$message = nl2br(addslashes(htmlentities($_POST['body'])));
Displaying it from the database:
$message = stripslashes($thread['body']);
The problem might be the way you're doing it.
If you're doing it strip_tags(nl2br($text)), then strip_tags will remove the br's inserted by nl2br(). It should then be nl2br(strip_tags($text)).
For something like a forum message where the user can edit the text over and over again, it's better to use nl2br() only when the text is being viewed, not when it is being stored in a table. Otherwise, each time the user edits the text, they will get lots of <br> tags in their message.
Edit:
oh, and I'm making a mail system right now, and I'm trying to make sure all the messages are sanitized properly.
Here's what I've got:
$insert['body'] = htmlentities( $_POST['body'], ENT_QUOTES);
$insert['body'] = (!get_magic_quotes_gpc())?addslashes($insert['body']):$insert['body'];Would that work fine? Anybody notice any limitations or ways to get around it?
Thanks
