small Sanitize question

[fortnox007]

Hi all,

 

I just stumbled upon the 'new' filter function of php and i was wondering if someone could maybe recommend me which to use.

 

for instance if i have a script:

<?php
        $_evilstring = "<script> alert('justin bieber is ruining your sound system')</script>";

        $_clean1 = htmlspecialchars($_evilstring);
        echo 'clean string one = '.$_clean1.'<br />';
        $_clean2 = filter_var($_evilstring, FILTER_SANITIZE_SPECIAL_CHARS);
        echo 'clean string two = '.$_clean2.'<br />';
        ?>

Both output exactly the same. Now i was wondering if there might be differences in them. For some reason I would like to use the filter function because the name sounds better, but that of course is not very scientific. Anyone with ideas maybe performance, speed, wickedness??

 

[lastkarrde]

You can test the speeds yourself with the microtime() function. Chances are they do the same thing under the hood, but filter_var() is more modern, so I would use that (not knowing performance).

[btherl]

Have you read the manual for both?  It appears that they act the same for printable characters, but that call to filter_var() will also do this: "and characters with ASCII value less than 32, optionally strip or encode other special characters."  The "optionally" part is controlled by additional flags.

[fortnox007]

Have you read the manual for both?  It appears that they act the same for printable characters, but that call to filter_var() will also do this: "and characters with ASCII value less than 32, optionally strip or encode other special characters."  The "optionally" part is controlled by additional flags.

 

Yeah i have read the manual, that's where i discovered this. But i thought without using the optional part they would be pretty much the same, but it seems i missed the word 'and'