Input filtering for security

notset

Hello,

I want to make clear everything about input filtering.

Before SQL query

mysql_real_escape_string($value)

Before displaying in HTML

htmlspecialchars($value, ENT_QUOTES) is enough?
or maybe strip_tags($value) - better?

How to make input secure before displaying it in HTML?

What others filters i need to use to make my site secure?

Thank's

bogu

notset wrote:
Before SQL query
mysql_real_escape_string($value)

I use htmlspecialchars here too ...

notset wrote:
Before displaying in HTML
htmlspecialchars($value, ENT_QUOTES) is enough?
or maybe strip_tags($value) - better?
How to make input secure before displaying it in HTML?

I use htmlspecialchars($value) for all the html caracters, if the user want to add html code I dont strip it ...
And this will do ...

Installer

http://phpbuilder.com/columns/ryan_mcgeehan20060627.php3