You should only encode on output, not on input. If a user enters AT&T
in your application, this should be stored at AT&T
in the database. There is no need to encode it, but of course make sure that you are using parameterised queries which will prevent characters such as '
from breaking out of the SQL command context and causing SQL injection.
When you output, this is the only time you need to encode characters. e.g. AT&T
should be encoded as AT&T
when output to HTML, so it is displayed in the browser as AT&T
.
It seems like your application is encoding the input and also encoding the output, so strings like above will be double encoded at then output as AT&T
in your HTML, causing the problem. Remove your input encoding to solve this.
The reason you should only encode when output is that if you decide you want to output data to a different format such as JSON or JavaScript, then the encoding is different. O'leary
would become O\x27leary
if encoded properly for JavaScript, which would not display properly in HTML where the encoding is O'leary
.