Is htmlentities($password_string) necessary?

Question

I watched a php login tutorial on a commercial platform where it is advised to use htmlentities() on a password string which is given via POST-Method.

As the password is never displayed isn't it wrong to use this function as it alters the password which was entered by the user? I know that this will only affect html codes but is it really non-safe to not use the function as the password is never displayed?

Answer 1

The one and only time you use htmlentities for anything is if and when you're outputting data into HTML, right then and there. E.g.:

<p><?php echo htmlentities($data); ?></p>

In any other context HTML entities are generally useless* and will only garble/change/destroy your data. Indeed, using it on a password, probably nowhere near any HTML context, is highly suspect.

_{* Yes, you can probably find some specialised use case somewhere…}