htmlentities and editing text

Do I need to sanitize the data before putting the text back in a text
box for edit.

You “sanitize” data that you are receiving. Then “escape” it when outputting.

Depending on your exact code (which you did not provide any examples of), you may want to do more than stripslashes() (or replace that altogether). WP has several built in functions for handling various kinds of data. For example:

// Use the "sanitize" functions instead of stripslashes()
$sanitized_username = sanitize_user( $_POST['user_login'] );
$sanitized_email = sanitize_email( $_POST['user_email'] );
$sanitized_fname = sanitize_text_field( $_POST['first_name'] );
$sanitized_lname = sanitize_text_field( $_POST['last_name'] );
// Now you can write these to the db or use them.

// "Escape" data when outputting
echo '<input class="' . esc_attr( $my_class ) . '" name="some_input" value="" />';

echo '<a href="' . esc_url( $my_url ) . '" />';

These are just a few examples – there are quite a few different functions within WP itself for proper data handling.

Also, you don’t need to escape data if you know for certain what it is. In your case, you’re pulling it from a database, so you shouldn’t necessarily trust it as 100% safe. But if you’re outputting something that’s contained in a variable but the variable is set in the code (i.e. you’re not pulling it from an untrusted source), then you don’t need to escape it.

error code: 521