I'm really restricted on space, so I wanted to present a counter point on today's funcaday: Performance.
The disadvantage with the escape for now, not for later approach is simple. If you save a user's post to the database, then that user's post is displayed 2,000 times there will be some serious differences. Under the approach I reccomend the post will be escaped with mysql_real_escape_string() once, and with htmlentiteis() 2,000 times. If you had escaped it twice in the first place those functions would have been called once each, saving you 1,999 calls to htmlentities.
You will need to balance your security concerns with performance needs.
Note: This blog post was written well in advance, I'm on vacation, don't have my laptop or internet, and it's likely that my cell phone won't even turn on. So replies may be a bit tardy.
Note^2: But I'm not dumb, someone's looking after my server
The disadvantage with the escape for now, not for later approach is simple. If you save a user's post to the database, then that user's post is displayed 2,000 times there will be some serious differences. Under the approach I reccomend the post will be escaped with mysql_real_escape_string() once, and with htmlentiteis() 2,000 times. If you had escaped it twice in the first place those functions would have been called once each, saving you 1,999 calls to htmlentities.
You will need to balance your security concerns with performance needs.
Note: This blog post was written well in advance, I'm on vacation, don't have my laptop or internet, and it's likely that my cell phone won't even turn on. So replies may be a bit tardy.
Note^2: But I'm not dumb, someone's looking after my server