this is the most confusing part i encountered today, i'm using codeigniter, but it's xss filter doesn't seem to work properly as we expect, so we tried using htmlentities while saving the data into the database, but i read somewhere, we should never change/edit the user inputed data into database, we should always do that while outputting on the browser, so here i'm totally confused what would be the safest and best way to take user input, save in database and output that data using php
What did you expect from CI XSS filtering that you think it is not working properly?
To answer your questions, follow all these steps:
Validate user input data first (and before doing anything with it) instead of filtering and correcting it, do this using CodeIgniter Form Validation Class
Guide Link: https://ellislab.com/codeigniter/user-guide/libraries/form_validation.html
For your database queries use CodeIgniter Active Record Class, all data is escaped automatically
for example $this->db->insert('mytable', $data);
Guide Link: https://ellislab.com/codeigniter/user-guide/database/active_record.html
To echo user input data from database or anywhere else use CodeIgniter html_escape() function
You're good to go...
P.S. Links were for version 2.2, if you're using version 3, routine is the same but simply find the guide on codeigniter.com