filter_var vs htmlentities vs htmlspecialchars [英] filter_var vs htmlentities vs htmlspecialchars
问题描述
免责声明
这不是一个问题,转义为数据库输入。这是严格看待标题中三个功能之间的技术差异。
This is not a question about whether we should be escaping for database input. This is strictly looking at the technical differences between the three functions in the title.
一个href =https://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars>这个问题讨论了 htmlentities()
和 htmlspecialchars()
。但是,它并没有真正讨论 filter_var( )
,我在Google上发现的信息更符合确保您在回传之前逃脱用户输入!
There is this question discussing the difference between htmlentities()
and htmlspecialchars()
. But, it doesn't really discuss filter_var()
and the information I found on Google was more along the lines of "Make sure you escape user input before it is echo'd!"
我的问题是:
- 为什么
htmlspecialchars()
通常使用filter_var()
的htmlentities()
? - 使用
filter_var()
是否有某些性能下降? -
filter_var()
不像其他两个选项一样安全吗? - 是否任何其他原因在
echod
- Why are
htmlspecialchars()
andhtmlentities()
commonly used overfilter_var()
? - Is there some performance hit from using
filter_var()
? - Is
filter_var()
not as secure as the other two options? - Is there any other reason NOT to use the following to encode user input before being
echod
filter_var($ var,FILTER_SANITIZE_FULL_SPECIAL_CHARS);
推荐答案
我的猜测关于缺乏采用)将仅仅是因为Filter扩展仅在默认情况下从v5.2启用,而html *方法已经在更长时间。
My guess (about lack of adoption) would be it's simply because the Filter extension is only enabled by default since v5.2, whereas the html* methods have been around longer.
这篇关于filter_var vs htmlentities vs htmlspecialchars的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!