playing around with a plugin that allows a user to have a html embed
on their profile, and i store it in a db field.

and when i load it to the profile
i use

$content = htmlspecialchars_uni($sqlstring['field']);

BUT it shows the actual html code,
how ewer if i remove the "htmlspecialchars_uni();"
and do this

$content = $sqlstring['field']);
it works fine, but i am just worried wont that be a security risk,
is that not a way to sql inject with such a field without htmlspecialchars_uni();
in run time ?

Clean the html on input. Then what ever displays is already clean.

i always clean like this before saveing in database
string format, user input galcod

$galcod = $vbulletin->input->clean_GPC('g', 'galcod', TYPE_STR);
$galcod =& $db->escape_string($vbulletin->GPC['galcod']);

so it "should" be safe next time read from db ?