Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

filter_var vs htmlentities vs htmlspecialchars

Tags:

php

escaping

html-entities

htmlspecialchars

filter-var

Disclaimer

This is not a question about whether we should be escaping for database input. This is strictly looking at the technical differences between the three functions in the title.

There is this question discussing the difference between htmlentities() and htmlspecialchars(). But, it doesn't really discuss filter_var() and the information I found on Google was more along the lines of "Make sure you escape user input before it is echo'd!"

My questions are:

  • Why are htmlspecialchars() and htmlentities() commonly used over filter_var()?
  • Is there some performance hit from using filter_var()?
  • Is filter_var() not as secure as the other two options?
  • Is there any other reason NOT to use the following to encode user input before being echod

filter_var($var, FILTER_SANITIZE_FULL_SPECIAL_CHARS);

like image 386
Charles Sprayberry Avatar asked Aug 05 '11 20:08

Charles Sprayberry

People also ask

What's the difference between Htmlentities () and htmlspecialchars ()?

Difference between htmlentities() and htmlspecialchars() function: The only difference between these function is that htmlspecialchars() function convert the special characters to HTML entities whereas htmlentities() function convert all applicable characters to HTML entities.

Is Htmlentities enough to prevent XSS?

In answer to your question, you should use htmlentities() when outputting any content that could contain user input or special characters. Show activity on this post. htmlspecialchars() is more than enough. htmlentities is for different use, not preventing XSS.

What is Htmlspecialchars?

Description. The htmlspecialchars() function is used to converts special characters ( e.g. & (ampersand), " (double quote), ' (single quote), < (less than), > (greater than)) to HTML entities ( i.e. & (ampersand) becomes &amp, ' (single quote) becomes &#039, < (less than) becomes &lt; (greater than) becomes &gt; ).

Does Htmlspecialchars prevent XSS?

Using htmlspecialchars() function – The htmlspecialchars() function converts special characters to HTML entities. For a majority of web-apps, we can use this method and this is one of the most popular methods to prevent XSS. This process is also known as HTML Escaping.

1 Answers

My guess (about lack of adoption) would be it's simply because the Filter extension is only enabled by default since v5.2, whereas the html* methods have been around longer.

like image 65
Stephen Avatar answered Sep 25 '22 02:09

Stephen
Sign in to Comment

Related questions

Retrieving website HTML page using cURL with current session and cookie data on secured page
What is the best way to bind decimal / double / float values with PDO in PHP?
Derived class defined later in the same file "does not exist"?
How to get Access Token and Access Token Secret from Magento 1.7 REST API
Performance text/html vs. application/json
Unit Test vs Integration Test in Web Development [closed]
Why is putenv() needed on an already defined environment variable?
tinymce "codesample" plugin executes HTML tag
Paypal IPN, Not getting all the transactions responses after changing the ipn url in the account
php mail on MAMP
Creating object from variable using Namespaces and Autoload in PHP
PHP trait: is there a proper way to ensure that class using a trait extends a super class which contains certain method?
PHP short circuit lazy evaluation, where is it in the php.net manual?
PHP library for creating/manipulating fixed-width text files
compare object properties and show diff in PHP
Add back and forward functionalities in slideshow
Efficient and user-friendly way to present slow-loading results
How to stream creation of a JSON File?
PHP -> CLI has stopped working
Please explain how to create PHP's Phar stubs

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!