handeling user input to safely store it in a database and pull it back out like a cms

Question

I'm learning php by making a cms, everything went fine up to now. The next thing I want to implement is user input, more specificly I want them to be able to write their own posts, questions,.. on the site like you can on pretty much every forum.

Now here's the problem, I've read multiple articles saying you have to be careful when allowing user input because they can do stuff like sql injections and xss injections. Though I found many articles about this, I didn't found any decent tutorials/guides to solve this problem.

I dug a little bit deeper and found out you can protect your sql from injections by using php pdo prepare statements. Problem #1 solved!

Now onto problem #2: xss injections. I've read you have to use functions like htmlspecialchars and such but they never said when to use them. (Before inserting it into the database or when pulling it out of the database) I also read about HTML Purifier but that removes all js so you can't allow users to post code examples, and I realy realy need that...

If you know how I can solve the whole input security, please drop a comment/answer below. It's verry much needed and appreciated!

NOTE: if it matters at all, the users are allowed to input their posts in markdown wich I can already convert to html with php.

Answer 1

As far as handling XSS, that's typically handled after the data is pulled back out of the database. Instead of using another library, have a look here for sanatizing your output

PHP Sanitize filters

Specifically, FILTER_SANITIZE_SPECIAL_CHARS

I should also suggest if you're trying to learn about handling security, you check into protecting yourself from XSRF attacks as well. Here's a good write-up on what XSRF is and how to protect against it:

Prevent XSRF

Good luck! And props to you for actually doing your own research first!