HTML encode user input when storing or when displaying

Question

Simple question that keeps bugging me.

Should I HTML encode user input right away and store the encoded contents in the database, or should I store the raw values an

Answer 1

i'd strongly suggest encoding information on the way out. storing raw data in the database is useful if you wish to change the way it's viewed at a certain point. the flow should be something similar to:

sanitize user input -> protect against sql injection -> db -> encode for display

think about a situation where you might want to display the information as an RSS feed instead. having to redo any HTML specific encoding before you re-display seems a bit silly. any development should always follow the "don't trust input" meme, whether that input is from a user or from the database.