Disclaimer This is not a question about whether we should be escaping for database

Question

0

Asked: May 24, 20262026-05-24T10:14:13+00:00 2026-05-24T10:14:13+00:00

Disclaimer This is not a question about whether we should be escaping for database

0

Disclaimer

This is not a question about whether we should be escaping for database input. This is strictly looking at the technical differences between the three functions in the title.

There is this question discussing the difference between htmlentities() and htmlspecialchars(). But, it doesn’t really discuss filter_var() and the information I found on Google was more along the lines of “Make sure you escape user input before it is echo’d!”

My questions are:

Why are htmlspecialchars() and htmlentities() commonly used over filter_var()?
Is there some performance hit from using filter_var()?
Is filter_var() not as secure as the other two options?
Is there any other reason NOT to use the following to encode user input before being echod

filter_var($var, FILTER_SANITIZE_FULL_SPECIAL_CHARS);

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-24T10:14:13+00:00

Editorial Team

2026-05-24T10:14:13+00:00Added an answer on May 24, 2026 at 10:14 am

My guess (about lack of adoption) would be it’s simply because the Filter extension is only enabled by default since v5.2, whereas the html* methods have been around longer.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Disclaimer This is not a question about whether we should be escaping for database

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply