i use neither - i str_replace or preg_replace what I want, and only what I want each time. who's to say I don't want users to be able to type in <b> or <em>, or insert javascript snippets? sometimes i do - sometimes i don't ;-) everything is application dependant

-_-
i meant "which one to use", not "to use or not to use, this is a question"

It would seem that htmlentities is greedier about what to convert.

htmlentities()

This function is identical to htmlspecialchars() in all ways, except with htmlentities(), all characters which have HTML character entity equivalents are translated into these entities.

htmlspecialchars()

Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with some of these conversions made; the translations made are those most useful for everyday web programming. If you require all HTML character entities to be translated, use htmlentities() instead.

It would seem that htmlspecialchars has a set of chars that it converts and htmlentities will do anything that has a special char to represent it. I think htmlspecialchars will be fine unless you run into some specific issue with a char that it doesn't convert.

yes, that's the problem i'm wondering
where do we have to htmlentities, and htmlspecialchars is not enough?
i still get no exact answer
i hadn't use htmlentities totally *_*