Should htmlspecialchars() be used on information on input or just before output?

Question

I take $_POST information and store it in a DB and later on query and print this information to the user. Should I use htmlspecialchars() before inserting this info or after

Answer 1

Should I use htmlspecialchars() before inserting this info or after I query it before I output it?

Escape data for the target code just before you insert it. i.e. Just before you output it.

This means that you will keep the data in its original form for other purposes (e.g. outputting to the user for editing, including in an email, generating a PDF, searching, etc)

In addition I need the ability for users to have the ability to use quotes and other everyday special chars. I know I can use the flag ENT_NOQUOTES but it feels like if I do that it leaves security holes.

htmlspecialchars() will convert quotes in the inputted data into HTML. So you don't need to do anything special.

My site allows Bbcode

Then you need to have a proper BBCode parser.

Answer 2

htmlspecialchars() is used before output to avoid XSS. And the database should better save the user's raw input.