I'm inserting user input into mysql. I'm going to be later displaying the information. I'm using nl2br to preserve the "enters". I want to remove all other HTML from the input as well make the information safe to insert into the database.
This is what I'm using now. Is this enough?
$message =nl2br(htmlspecialchars($_POST['message'], ENT_QUOTES));