You shouldn't use htmlentities
when saving it. You should use htmlentities
when displaying it. The rule of thumb is not to encode/sanitize the data until you need to. If you do htmlentities
on it when you save then you have to do html_entity_decode
on the text when the user wants to edit the input. So you sanitize for what you need and nothing more. When saving it, you need to sanitize for SQL injection, so you mysql_real_escape_string
it. When displaying, you need to sanitize for XSS, so you htmlentities
it.
Also, I am not sure if you saw Darryl Hein's comment, but you really do not want magic_quotes enabled. They are a bad, bad, thing and have been deprecated as of PHP 5.3 and will be gone altogether in PHP 6.