> Is there any kind of rules of thumb on this? Always run mysql_real_escape_string. When php and javascript are mixed, don't do this, do this, always do this... That kind of thing.

* The data should be the data. No embellishments for html, extra quotes, etc.

* Don't trust any input, even if you think you have control over it.

* Always do the appropriate escaping when outputing.

Examples:

* If you have the character "<" in the 'data', and you want to display it in html, be sure to turn it into "&lt;".

* If you have a PHP variable containing some string to be INSERTed into a MySQL table, be sure to escape it (mysql_real_escape_string or equivalent).

* Input as part of a URL needs to be unencoded(), if by Javascript.

Etc, etc. (I don't have the full list off the top of my head.)