My Approach while INSERT’ing INTO MySql
I think I read in stackoverflow.com that “if you need escaping or similar action, do it just in time you need” so in the verification pages that I verify the user inputs (null or not check, length check and structural checks (eg: mail structure, custom tags structures); I use the $_POST['']
variables as inputs. During verifications, even in the custom error printing parts, my error messages does not include any of $_POST['']
values in message texts.
As an interim note: I utilize prepared statements and parameterized queries during php-MySql interactions. If inputs are verified; just before INSERT’ing INTO MySql, I strip the tags from input since I don’t allow any html tags other than custom structured tags. (for example **bold text** === <strong>bold text</strong>
) Then I insert the user input into MySql db.
My Approach while fetching from MySql & printing the output to the screen
I only apply htmlspecialchars() command to print out to the screen from MySql db
My Question
I am not sure of myself. Is there any obvious or hidden weakness in my approach? Thanks in advance for php gurus’ valuable comments. BR
UPDATE
I won't strip tags during insert into MySql db. For reasons, Please refer to comments of ÁlvaroG.Vicario below. BR.