filter_var vs htmlentities vs htmlspecialchars

php escaping html-entities htmlspecialchars filter-var
Charles Sprayberry picture Charles Sprayberry · Aug 5, 2011 · Viewed 8.3k times · Source

Disclaimer

This is not a question about whether we should be escaping for database input. This is strictly looking at the technical differences between the three functions in the title.

There is this question discussing the difference between htmlentities() and htmlspecialchars(). But, it doesn't really discuss filter_var() and the information I found on Google was more along the lines of "Make sure you escape user input before it is echo'd!"

My questions are:

  • Why are htmlspecialchars() and htmlentities() commonly used over filter_var()?
  • Is there some performance hit from using filter_var()?
  • Is filter_var() not as secure as the other two options?
  • Is there any other reason NOT to use the following to encode user input before being echod

filter_var($var, FILTER_SANITIZE_FULL_SPECIAL_CHARS);

Answer

Stephen picture Stephen · Aug 5, 2011

My guess (about lack of adoption) would be it's simply because the Filter extension is only enabled by default since v5.2, whereas the html* methods have been around longer.

Related questions

Pass a PHP string to a JavaScript variable (and escape newlines)

What is the easiest way to encode a PHP string for output to a JavaScript variable? I have a PHP string which includes quotes and newlines. I need the contents of this string to be put into a JavaScript variable. …

Read More
Escaping single quote in PHP when inserting into MySQL

I have a perplexing issue that I can't seem to comprehend... I have two SQL statements: The first enters information from a form into the database. The second takes data from the database entered above, sends an email, and then …

Read More
PHP JSON String, escape Double Quotes for JS output

I'm creating a JSON string from a PHP array. I've encoded it using json_encode(). $data = array( 'title' => 'Example string\'s with "special" characters' ); $data = json_encode( $data ); $data is localized using wp_localize_script() and is accessible via …

Read More