Escaping variables

Question

I\'ve read that it\'s enough and even recommended to escape characters on the output, not on the input.

It could be easily applied to all get variables as they are n

Answer 1

1. whenever data is coming from user, sanitize it(take special attention if its storing in database.). So PDO with prepared statement is a must. What else you do is added bonus.

2. Yes (opinions will differ here from person to person) for preventing sql injection (assuming you are using prepared statement). though I prefer storing the raw data in database even if it means sacrificing for some malicious XSS code may contain it. While outputting, take utmost care.

3. No. use htmlpurifier (with a view that you are outputting from a database.)