Did you sanitize the user input (was it originally user input that was put into the database?) If so use [man]htmlspecialchars[/man] on the variable before putting it into the database. I also suggest against other measures also.
If thats not the problem you should be able to have htmlspecialchars do the same thing when extracting it from the database, this isnt a way to fix it though.
