I think I read in stackoverflow.com that “if you need escaping or similar action, do it just in time you need” so in the verification pages that I verify the user inputs (null or not check, length check and structural checks (eg: mail structure, custom tags structures); I use the $_POST[''] variables as inputs. During verifications, even in the custom error printing parts, my error messages does not include any of $_POST[''] values in message texts.
As an interim note: I utilize prepared statements and parameterized queries during php-MySql interactions. If inputs are verified; just before INSERT’ing INTO MySql, I strip the tags from input since I don’t allow any html tags other than custom structured tags. (for example **bold text** === <strong>bold text</strong>) Then I insert the user input into MySql db.
I only apply htmlspecialchars() command to print out to the screen from MySql db
I am not sure of myself. Is there any obvious or hidden weakness in my approach? Thanks in advance for php gurus’ valuable comments. BR
I won't strip tags during insert into MySql db. For reasons, Please refer to comments of ÁlvaroG.Vicario below. BR.
The discussion thus far has been about protecting from SQL Injection and Persistent cross site scripting. It sounds like you're on the right track.
the escape syntax for the part of the HTML document you're putting untrusted data into."