/**
* @return string
* @param MySqlConnection $conn
* @param string $s_text
* @param bool $allow_html
* @desc Protect and quote string going into the db from SQL injection attacks. Assumes Magic Quotes are not in use.
*/
public static function ProtectString(MySqlConnection $conn, $s_text, $allow_html = true)
{
# no need for htmlspecialchars() because htmlentities() is applied to all data coming in
if (!$allow_html) {
$s_text = strip_tags($s_text);
}
return "'" . $conn->EscapeString($s_text) . "'";
}