How to prevent saving unusual HTML entities from PHP form?

Every now and then, I get unusual data saved to the database fro开发者_如何学Pythonm my PHP form that looks like this:

Mr. Smith's 

What could be causing this, and is there a better way to remove the entities than using preg_replace, since the php decode functions don't properly decode the entire thing?

I would suggest looking at the code processing data from the form pre-insertion into the database. If you are sanitising the data to be displayed on a web page use htmlentities($var); if you are are only sanitising it for security purposes look into prepared statements / stored procedures or just mysql_real_escape_string($var). If all else fails post the code and we'll have a look.

This must be due to some technical problem. The best way to decode the entities and after that if you find something like:

/&([a-z]+|#[0-9]+);/

Do not accept the form, just alert the user about the invalid value.

You could take a look at Codeingiters' source code where they remove entities at https://bitbucket.org/ellislab/codeigniter/src/c07dcadf094e/system/libraries/Security.php in the xss_clean method. This will give you a good idea of how to clean most of them more effectively.