The disadvantage with the escape for now, not for later approach is simple. If you save a user's post to the database, then that user's post is displayed 2,000 times there will be some serious differences. Under the approach I reccomend the post will be escaped with mysql_real_escape_string() once, and with htmlentiteis() 2,000 times. If you had escaped it twice in the first place those functions would have been called once each, saving you 1,999 calls to htmlentities.
You will need to balance your security concerns with performance needs.
Note: This blog post was written well in advance, I'm on vacation, don't have my laptop or internet, and it's likely that my cell phone won't even turn on. So replies may be a bit tardy.
Note^2: But I'm not dumb, someone's looking after my server
Paul Reinheimer, one of two behind the funcaday website (providing details ...
Tracked: Jan 07, 14:14