It seems that even in O’Reilly’s book of Learning PHP & MySQL, the use of
htmlentities($user_input) is everywhere in the book.
Moreover, htmlspecialchars() works well with UTF-8 without specifying the 3rd argument of UTF-8. htmlentities() will mess up UTF-8 string unless the 3rd argument is specified to be UTF-8.
also, then what is htmlentities() good for? merely to make sure the entities characters are displayed correctly when there is no encoding provided by the HTTP header or the http-equiv in <head> </head> and then displaying non-ASCII content?.. UTF-8 and ISO-8859-1 mismatch, and so forth? When we actually output the correct header and content in the corresponding encoding, there is really no use to use htmlentities()?
Well, the most common and practical need in my day to day use of PHP is:
To prevent malicious user data from doing Cross Site Scripting (XSS)
To actually print out HTML code on a webpage like here: <div>Hello World</div>
And htmlspecialchars() fully performs that function already.
So if you are so confident to say people are wrong, Stormrider, how about you just merely state 1 case which is common and practical, that we actually need htmlentities(), when both the header already specified the correct encoding type and the content is in the correct corresponding encoding?
As I said, state one good reason to use htmlentities(). htmlentities() is the right tool for what job, when both HTTP header gives the right encoding type such as “utf-8” for the content in that encoding.