[eluser]MaxPar[/eluser]
I'm using CodeIgniter to develop a web application. Part of involves users entering text into a form that is then stored in a mysql database.
My background in programming mostly comes from college classes that I took while studying engineering, so I'm not really so familiar with internet security and database applications. I've read a lot about "sql injection attacks" - this is apparently a big cause of fear, as it would let someone run random code on my server.
What I want to know is simple: Is it a Really Bad Idea to let users enter whatever they want into a textarea in a form, and then directly plug it into an entry in my mysql database?
I need the user to have some amount of freedom in what they can enter, specifically, HTML and Chinese characters.
I've know that PHP has a function called mysql_real_escape_string() - is this something that I should be using to clean the textarea's contents before I enter it into my database?