I'm using htmlspecialchars on my textarea and want to keep the html format while removing sql injection. Is htmlspecialchars good for this?