Is there a need to use html_entity_decode?

For a text field where I want to allow apostrophe's (single quotes) and basic html like a bold tag. I am filtering the input field, stripping the data and using addslahes() if required.

When it comes to updating this field - I would use stripslashes and htmlspecialchars to convert the quotes and <> to html entitie as in stripslashes(htmlspecialchars($data_value,ENT_QUOTES))

I can see the slashes have been stripped and entities used - example:
   "do quote's work? new <b>test</b>" - becomes
   "do quote&#039;s work?\nnew&lt;b&gt;test&lt;/b&gt;"

The content in the input field <textarea> looks correct - no unusual characters
  do quote's work? new test -- where test is in bold

When the form is posted the incoming value does not contain entities but just the characters. The quote is a ' and the &lt; is a < 

It would appear I do not need to use html_entities_decode on this data before saving to revert it back. I would need to ensure I save the data as it appears and not with the HTML entity values.
I would want to search on quote's and not quote&#039;s

I ask because there are a number of comments in the online html manual about using a un-convert entity function or html_entity_decode(). I would think this is only needed if the data was not being displayed and posted back or was in a hidden field and somehow the entity value were still retained.

Anyway - interested to see if I am missing something.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You aren't missing anything. I was curious about this myself a while back and ran some tests. You should run some tests too just to convince yourself, but yeah where there are html special characters in the HTML CODE of a form field, they are in fact submitted as their real entities. Whatever page receives the posted information does in fact receive a "<" and not a "&lt;" (for example).

However, if you TYPE html entities into a form field, in an actual browser, they are submitted exactly as typed--typing "&lt;" does in fact submit "&lt;" -- things TYPED into a form field by an actual user are taken literally. But things pre-filled into the underlying HTML code as the form field's value is *rendered* into HTML and thus the browser itself is doing the html_entity_decode for you, just like it does for everything else in the code. So when it submits it submits as the decoded entity--the real thing.

So worry not!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bl248Author Commented:
Thanks - sometimes you just need to talk these things out.  This confirms then that I really do not want to add the entity_decode step. If I use these functions an application where I want to allow users to enter actual code snippets then I want the entered entity codes to be retained so that if I output the saved content in <pre> oir <xmp> tags then, they are displayed as entered.

I'm sure there are special applications where they need to do the entity_decode then but it's not the standard apps that I write need.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.