OK, reading around it appears that common wisdom is to store the input verbatim, make no adjustments what-so-ever, simply parameterise to protect against SQL Injections.
Some good comments here: What are the best practices for avoiding xss attacks in a PHP site
Then either HTML Encode (seems vunerable), or use the XSS-Library to encode the output - As said in the link above, the destination for the data may not be a browser at some later point.
Then using the example of XSS attacks here: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet input some of these to the database, and read back to the browser. With the right encoding you should see the text, and not have a script executed.