Follow this rule... Every place that <<Hello, I'm A Turtle>> is stored, whether it is a cell in a database table, or a variable, etc., store it as just that.

Any decent UI should allow you to type <<Hello, I'm A Turtle>> without any escaping.

There are many places where that string might exist:
* Database
* PHP variable
* HTML form: <input ... value="Hello...">
* HTML output: You said: "Hello..."
* URLs .../foo.cgi?string=Hello...

Usually the technique is to apply the correct escaping as you put the string into that location.

* INSERT INTO tbl -- If coming from PHP, use mysql_real_escape_string() or quote() or whatever your API has.
* Putting into <input> or HTML (with PHP): use htmlentities()
* Putting into a url (with PHP): urlencode(), but on each piece (otherwise the '&' and '=' will be escaped).

So, you are not using PHP? Here's what those do...
* mysql_real_escape_string: Put \ in front of \ ' " (maybe others?)
* htmlentities: " & < > -- 8bit bytes are turned into "entities": &egrave; (See also htmlspecialentities)
* urlencode: virtually everything except letters and digits are turned into &EF (the hex for the byte). This is overkill, but safe.

See also nl2br(), escapeshellarg(), base64encode() in PHP. Note also that php.ini may include a setting for magic_quotes_gpc, which could confuse the issue.

Failure to escape & and < in HTML output, ' and " in MySQL strings can open you up to JavaScript hacks, SQL injection, etc. Not a pretty sight.