I was wondering when is the appropriate place to use htmlspecialchars(). Is it before inserting data to database or when retrieving them from the database?
You should only call this method when echoing the data into HTML.
Don't store escaped HTML in your database; it will just make queries more annoying.
The database should store your actual data, not its HTML representation.