Validating user input?

Question

I am very confused over something and was wondering if someone could explain.

In PHP i validate user input so htmlentitiies, mysql_real_escape_string is used before

Answer 1

mysql_real_escape_string() is all you need for the database operations. It'll ensure that a malicious user can't embed something into data that'll "break" your queries.

htmlentities() and htmlspecialchars() come into play when you're working with sending stuff to the client/browser. If you want to clean up potentially hostile HTML, you'd be better off using HTMLPurifier, which will strip the data to the bedrock and hose it down with bleach and rebuild it properly.