I have a form to allow a user to contact me, I am aware of how to prevent the used of HTML in the input fields (htmlentities), but, should i do this before it hits the DB, when it is being recalled or both?

Cheers