For a text field where I want to allow apostrophe's (single quotes) and basic html like a bold tag. I am filtering the input field, stripping the data and using addslahes() if required.
When it comes to updating this field - I would use stripslashes and htmlspecialchars to convert the quotes and <> to html entitie as in stripslashes(htmlspecialchars($data_value,ENT_QUOTES))
I can see the slashes have been stripped and entities used - example:
"do quote's work? new <b>test</b>" - becomes
"do quote's work?\nnew<b>test</b>"
The content in the input field <textarea> looks correct - no unusual characters
do quote's work? new test -- where test is in bold
When the form is posted the incoming value does not contain entities but just the characters. The quote is a ' and the < is a <
It would appear I do not need to use html_entities_decode on this data before saving to revert it back. I would need to ensure I save the data as it appears and not with the HTML entity values.
I would want to search on quote's and not quote's
I ask because there are a number of comments in the online html manual about using a un-convert entity function or html_entity_decode(). I would think this is only needed if the data was not being displayed and posted back or was in a hidden field and somehow the entity value were still retained.
Anyway - interested to see if I am missing something.