Here’s the general rule of thumb.
Escape variables at the last possible moment.
You want your variables to be clean representations of the data. That is, if you are trying to store the last name of someone named “O’Brien”, then you definitely don’t want these:
.. because, well, that’s not his name: there’s no ampersands or slashes in it. When you take that variable and output it in a particular context (eg: insert into an SQL query, or print to a HTML page), that is when you modify it.
$name = "O'Brien"; $sql = "SELECT * FROM people " . "WHERE lastname="" . mysql_real_escape_string($name) . """; $html = "<div>Last Name: " . htmlentities($name, ENT_QUOTES) . "</div>";
You never want to have
htmlentities-encoded strings stored in your database. What happens when you want to generate a CSV or PDF, or anything which isn’t HTML?
Keep the data clean, and only escape for the specific context of the moment.