First off, you shouldn't be using htmlentites around 99% of the time. Instead, you should use htmlspecialchars() for escaping text for use inside xml/html documents. htmlentities are only useful for displaying characters that the native characterset you're using can't display (it is useful if your pages are in ASCII, but you have some UTF-8 characters you would like to display). Instead, just make the whole page UTF-8 (it's not hard), and be done with it.

As far as urlencode, you hit the nail on the head.

So, to recap:

• Inside HTML:

  <b><?php echo htmlspecialchars($string, ENT_QUOTES, "UTF-8"); ?></b>
  

• Inside of a url:

  $url = '?foo='.urlencode('bar');
  

That's about right. Although - htmlspecialchars is fine, as long as you get your charsets straight. Which you should do anyway. So I tend to use that, so I would find out early if I had messed it up.

Also note that if you put an url into a html context (say - in the href of an a-tag), you need to escape that. So you'll often see something like:

echo "<a href='" . htmlspecialchars("?foo=".urlencode($foo)) . "'>clicky</a>"