This may seem obvious, but it caused me some frustration. If you try and use htmlspecialchars with the $charset argument set and the string you run it on is not actually the same charset you specify, you get any empty string returned without any notice/warning/error.
<?php
$ok_utf8 = "A valid UTF-8 string";
$bad_utf8 = "An invalid UTF-8 string";
var_dump(htmlspecialchars($bad_utf8, ENT_NOQUOTES, 'UTF-8')); var_dump(htmlspecialchars($ok_utf8, ENT_NOQUOTES, 'UTF-8')); ?>
So make sure your charsets are consistent
<?php
$bad_utf8 = "An invalid UTF-8 string";
$bad_utf8 = mb_convert_encoding($bad_utf8, 'UTF-8', mb_detect_encoding($bad_utf8));
var_dump(htmlspecialchars($bad_utf8, ENT_NOQUOTES, 'UTF-8')); ?>
I had this problem because a Mac user was submitting posts copy/pasted from a program and it contained weird chars in it.
