How do I properly sanitize data received from a text area, when outputting it back into the text area?

Question

A user will input text in a textarea. It is then inserted directly into a mySQL database. I use trim, htmlentities, mysql_real_escape_string on it and I have magic quotes en

Answer 1

In addition to Paolo's answer about when to use htmlentities(), unless you're using an old version of PHP, the correct way to sanitize for insertion into a mysql DB is to use Prepared Statements which are part of the mysqli extension. This replaces any need to use mysql_real_escape_string().

Other than that, I think you've got things covered.