Logic of saving text in DB using PHP

friends.

I have a page, on which users can add comments (users can enter tags). Comment saves in the DB. Now I am using开发者_运维问答 the next way. I save all comment into DB. And I escape comment from DB when it's rendering. Is it right? Or it's better to escape before DB insert into DB?

Sorry for my english. Thank you in advance.

Escape before insert. The whole reason to escape the string is to prevent SQL injection, which occurs when you are putting user-inputted data in a query. (I assume you are asking about using mysql_real_escape_string().)