Disclaimer
This is not a question about whether we should be escaping for database input. This is strictly looking at the technical differences between the three functions in the title.
There is this question discussing the difference between htmlentities()
and htmlspecialchars()
. But, it doesn't really discuss filter_var()
and the information I found on Google was more along the lines of "Make sure you escape user input before it is echo'd!"
My questions are:
htmlspecialchars()
and htmlentities()
commonly used over filter_var()
? filter_var()
? filter_var()
not as secure as the other two options? echod
filter_var($var, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
我的猜测(关于是否采用不足)可能是因为Filter扩展自v5.2起才默认启用,而html *方法的使用时间更长。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.