Can someone give me some advice please as I am slightly confused about being
safe when dealing with user input via a form.

The scenario is trying to save a name with an apostrophe..

to get this picked up in my validation I had to put an escape character in the
mask ... ereg("^([a-zA-Z \'-]+). I also wanted to make sure any extra spaces in
the input were removed ...

$contact_name = trim($_POST['contact_name']);
$name_parts = explode(' ', $contact_name);
$contact_name = trim(implode(' ', $name_parts));

if (!ereg("^([a-zA-Z \'-]+){5,10}$", $contact_name))
$contact_name = stripslashes($contact_name);
$contact_name = mysql_real_escape_string($contact_name);
$cn_html = htmlentities($contact_name);
{ $errors [] = 'Enter valid contact name: ' . $contact_name . ' ' .
$cn_html; }

The things is when you view an name with an apostrope it is supplemented with
an escape character which I don't believe you would want to commit to the db
.... e.g. if I enter John O'Rei?ly in the above example I get ...

Enter valid contact name: John O\'Rei?ly John O\'Rei?ly

i.e both mysql_real_escape_string & htmlentities give me the same result ....
does this imply that John O\'Reilly would be written to the db if I had entered
John O'Reilly ?

Doesn't seem right.

Any advice much appreciated.
Regards.
Patrick.