21:28 <@Xiven> the philosophy is that you don't want to end up doing silly things like storing it html-escaped in a database. not everything is output as html either 21:29 <@Xiven> you SQL escape just before you enter into a database, you HTML escape just before you output html, you URL encode just before you use it in a URL 21:29 <@Xiven> you can never be sure that later on, that variable isn't going to be used in some other way 21:30 <@Xiven> and when you start doing object-oriented stuff, your object should never expect to be fed escaped data 21:30 <@Xiven> this is why PHP's "magic quotes" are a bad idea 21:30 <@Xiven> for a simple small app it seems nice
When you output input, use htmlspecialchars. Or htmlentities.
When you put stuff in a database. Quote it! Avoid SQL injection.