filter_var vs htmlentities vs htmlspecialchars [英] filter_var vs htmlentities vs htmlspecialchars
问题描述
免责声明
这不是一个问题,转义为数据库输入。这是严格看待标题中三个功能之间的技术差异。
This is not a question about whether we should be escaping for database input. This is strictly looking at the technical differences between the three functions in the title.
一个href =https://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars>这个问题讨论了 htmlentities() 和 htmlspecialchars() 。但是,它并没有真正讨论 filter_var( ) ,我在Google上发现的信息更符合确保您在回传之前逃脱用户输入!
There is this question discussing the difference between htmlentities() and htmlspecialchars(). But, it doesn't really discuss filter_var() and the information I found on Google was more along the lines of "Make sure you escape user input before it is echo'd!"
我的问题是:
- 为什么
htmlspecialchars()通常使用filter_var()的htmlentities()? - 使用
filter_var()是否有某些性能下降? -
filter_var()不像其他两个选项一样安全吗? - 是否任何其他原因在
echod
- Why are
htmlspecialchars()andhtmlentities()commonly used overfilter_var()? - Is there some performance hit from using
filter_var()? - Is
filter_var()not as secure as the other two options? - Is there any other reason NOT to use the following to encode user input before being
echod
filter_var($ var,FILTER_SANITIZE_FULL_SPECIAL_CHARS);
推荐答案
我的猜测关于缺乏采用)将仅仅是因为Filter扩展仅在默认情况下从v5.2启用,而html *方法已经在更长时间。
My guess (about lack of adoption) would be it's simply because the Filter extension is only enabled by default since v5.2, whereas the html* methods have been around longer.
这篇关于filter_var vs htmlentities vs htmlspecialchars的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
