PHP & mySQL: When exactly to use htmlentities?

Question

PLATFORM: PHP & mySQL

For my experimentation purposes, I have tried out few of the XSS injections myself on my own website. Consider this situat

Answer 1

In essence, you should use mysql_real_escape_string prior to database insertion (to prevent SQL injection) and then htmlentities, etc. at the point of output.

You'll also want to apply sanity checking to all user input to ensure (for example) that numerical values are really numeric, etc. Functions such as is_int, is_float, etc. are useful at this point. (See the variable handling functions section of the PHP manual for more information on these functions and other similar ones.)