As I understand it, using something like mysql_escape will escape all special characters, keywords, etc.
You understand it wrong. "mysql_escape" doesn't make "all special characters, keywords, etc." "harmless", as you (after wast masses of PHP users) believe. The purpose of this honest function is totally different.
For HTML, Javascript or PHP, it would only be executed once the column value is selected and used for generating a webpage.
Save for PHP which won't be executed unless you call eval() on it explicitly
I suppose you could html_escape before putting the data into the database, but what if the code snippets were retrieved using something other than a web browser?
html_escape it before sending to browser then?
