Is it better to make user-input safe before saving it to the database or is it enough to make it safe for display using functions like htmlentities or strip_tags? For example, I might save what user inputs and then display it later using something like the following:
Code:
echo "<h2>" . htmlentities($select_page["menu_name"]). "</h2>";
echo "<p>" . strip_tags(nl2br($select_page["content"]), "<p><br><b><i><a>") . "</p>";
Should I be performing this kind of transformation before saving to a database?
(I know enough to be using mysql_real_escape_string before saving to mysql).