Originally Posted by angelali
And can we add our traditional htmlentities or strip tags in PDO statements to protect against XSS?
You should use htmlentities when writing data out into HTML where the data can legitimately contain characters that might otherwise be misinterpreted as being a part of the HTML rather than as a part of the content.
You should use striptags where you want to convert HTML to plain text.
Neither has anything to do with databases.
Vakidating your data properly when it is first received from the user is the best way to prevent against XSS and also protects against your database getting filled with meaningless junk. If you validate your data properly then there is no possibility of XSS existing - it only happens because sites allow garbage to be entered in forms and don't validate it.
How many people do you know whose name or address looks like an SQL command?