And i want to ask more specific question - at which point do i need check user's input for xss and html tags.
Input or output?
I see here could be a problem- for instance i wanna use htmlspecialchars.
If i use it on input stage - amount of characters could exceed maximum amount of characters in DB.
Or do i need call htmlspecialchars with every echo in the code? (of course that works with data that could go from the user's input)
And second one - hot to properly protect site from Second-order SQL injection?