<?php
foreach ($_POST as $key=>$value){
$_POST[$key] = htmlspecialchars($_POST[$key]);
}
?>
<form method="POST" action="">
<input type="text" name="test" value="<?=isset($_POST['test'])?$_POST['test']:''?>"/>
<input type="submit" />
</form>
VS.
<?php
$_POST['test'] = htmlspecialchars($_POST['test']);
?>
<form method="POST" action="">
<input type="text" name="test" value="<?=isset($_POST['test'])?$_POST['test']:''?>"/>
<input type="submit" />
</form>
If the user tries to inject an array then htmlentities will generate a notice, you should check for a string before calling it, else:
Notice: Array to string conversion
I have been using Acunetix(http://www.acunetix.com/), if you can afford it, it showed me flaws in my code