Originally Posted by angelali
I have never said strip_tags and htmlentities are used for database! I said I used them against XSS. Read again.
They have nothing to do with XSS or SQL injection - they have to do with converting VALID data into an appropriate format where it might conflict with code.
If you were doing everything properly in the first place then XSS and SQL injection would not even be an issue.
You need to learn how to VALIDATE user data and then 99% of all the security issues will disappear leaving just those situations where the data might legitimately be confused with the code - then you use the appropriate ESCAPE function in those instances not to prevent security holes but to get legitimate data to work correctly.
With VALID data that is appropriately ESCAPED when necessary there is no such thing as XSS or SQL injection. Those issues only exist where you allow junk data to be input in the first place and then even if you do block the security holes it will still be possibler for someone to write a trillion junk records to your database making your entire application useless.
Anyone concerned with XSS or SQL injection is looking at the entire situation backwards and is simply asking for someone to fill their database with junk AFTER they have fixed any SQL injection issues - since fixing those issues doesn't mean that the data is VALID.