Am I sanitizing textarea safely

Question

I have been using this to sanitize my textareas from xss-injects, I havent had any problems yet but since I been reading around on google I am not sure if this is a safe way.

$comment = nl2br(htmlspecialchars($_POST['comment']));

Then I am inserting it to my DB using mysqli with bind_param(); to prevent sql-inject

And lasty I am just outputtting it by <p><?php echo $info['comment']; ?></p>

Is this a safe way?

What I want to do is just to is sanitize then store it in my DB then output it, with working linebreaks.

Thanks in advance,

Answer 1

Store it as is, using the escaping that your database library provides. nl2br and if needed htlmentities/specialchars when displaying it.

Answer 2

You're not sanitising at all.

As said, you need to use the escaping your database library provides, as the escaping methods vary depending on database type.

Historically, you'd use mysql_real_escape_string(), but that is now deprecated as of PHP 5.5.0.