I am wondering if one of the PHP pros on here could answer this question for me.
When validating user input to be put into a database like mysql, i use mysql_real_escape_string() but i also use strip_tags(), htmlentities() and trim() . My question is should i just be using mysql_real_escape_string() and if then displaying the user data on a webpage is use strip_tags() htmlentities() before it is displayed on a webpage? , i always run data through mysql_real_escape_string of course before going into database.
I am noticing quite a few scripts just use mysql_real_escape_string() when placing the data into a database and then before the data from database is output on a webpage it goes through strip_tags() and htmlentities() etc. I am not sure what is the best way to go about this, for example if i only use mysql_real_escape_string() that means i could have potential dangerous code in the database like code tags with malicious code etc that could cause harm, obviously this won't be a problem if the correct checks are done before it is outputted on a webpage but am confused how others valdiate data and in which way.
Could someone please clarify what is the best practice way for me please?
example i have guestbook, i run the $_POST data through strip_tags, htmlentities, mysql_real_escape_string before it is put in the database then i can display it on the webpage knowing no harmful code is in database, yet i see scripts doing it the opposite way and just using mysql_real_escape_string() when placing data into database and sanitizing the data then before it is displayed on a webpage like a guestbook for example.
But i do all of it before going into the database, i'm confused over it.
Security is always my top priority and just need proper clarification on this from you PHP pros out there, i am not sure what is best practice as i see so many bad scripts as i do good so never know which is the correct way.