why aren't single quotes turned into '?

Wouldn't you agree that most of which is purified through HTML purifier gets put in a database? SQL queries can easily be injected if single quotes aren't escaped. So why isn't this something HTML Purifier offers? It even converts ' back into '. Why? It even does it with the doctype changed to XHTML 1.1. I have to put str_replace('\'', ''', $text) after $text goes through the purifier.

HTML Purifier normalizes characters into a common, safe form, in order to improve the uniformity of its output. A regular single quote is much prettier than the numeric character entity reference.

With regards to SQL injections, HTML Purifier is not and cannot be in any way related to your database. You must use an appropriate SQL escaping command.

Use prepared sql statements and sql injection really isn't a problem.

http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html

I personally do it via pear::mdb2 but I believe you can also do it with pdo and even the raw mysql driver.

Database escaping is a different problem altogether. I use mysql_real_escape_string() (though I'm currently reading the mysqli documentation and trying to work out whether I should switch).

TRiG.