Jex’s Note

PHP - Htmlentities 與 Htmlspecialchars 的差別

相同處

兩者都會轉換以下符號 :

  • & (ampersand) : &
  • " (double quote) : "
  • ' (single quote) : '' or '
  • < (less than) : &lt;
  • > (greater than) : &gt;

兩者都不會轉換英文數字括號分號

不同

  • htmlspecialchars 只轉換以上的 HTML 符號
  • htmlentities 除了轉換以上的 HTML 符號, 也轉換中文

Example

不包含中文 :

程式碼 :

echo htmlentities("<script type='text/javascript'>alert(1);</script>");
echo htmlspecialchars("<script type='text/javascript'>alert(1);</script>");

轉換後的原始碼 :

&lt;script type='text/javascript'&gt;alert(1);&lt;/script&gt;
&lt;script type='text/javascript'&gt;alert(1);&lt;/script&gt;

顯示結果 :

<script type='text/javascript'>alert(1);</script>
<script type='text/javascript'>alert(1);</script>

兩者結果相同

包含中文 :

程式碼 :

echo htmlentities("<script type='text/javascript'>alert(1);</script>測試");
echo htmlspecialchars("<script type='text/javascript'>alert(1);</script>測試");

轉換後的原始碼 :

&lt;script type='text/javascript'&gt;alert(1);&lt;/script&gt;&aelig;&cedil;&not;&egrave;&copy;&brvbar;
&lt;script type='text/javascript'&gt;alert(1);&lt;/script&gt;測試

顯示結果 :

<script type='text/javascript'>alert(1);</script>a﹐?ec|
<script type='text/javascript'>alert(1);</script>測試

兩者結果不同

效能比較 :

測試程式碼 :

$orig = '<div style="background:#ffc">Hello World</div>';
$converted_htmlspecialchars = htmlspecialchars($orig);
$converted_htmlentities = htmlentities($orig);
//先判斷轉出來後的結果是否相同
if ($converted_htmlspecialchars != $converted_htmlentities)
{
        echo "special and ent not equal<br />";
}
else
{
        echo "They are equal!<br />";
}
$iRepeatNTimes = 100000;
$startTime = microtime(true);
for($i = 0;$i < $iRepeatNTimes; $i++)
{
    $s = htmlspecialchars($orig);
}
echo "It took " . (microtime(true) - $startTime) . " to finish<br />";
$startTime = microtime(true);
for($i = 0;$i < $iRepeatNTimes; $i++)
{
    $s = htmlentities($orig);
}
echo "It took " . (microtime(true) - $startTime) . " to finish<br />";

and i repeat the 2 loops above just to see how they vary to the initial values

結果 :

第一次 :

They are equal!
It took 0.097237110137939 to finish
It took 0.23933792114258 to finish

第二次 :

They are equal!
It took 0.090903043746948 to finish
It took 0.24001097679138 to finish

第三次 :

They are equal!
It took 0.09278392791748 to finish
It took 0.23876214027405 to finish

第四次 :

They are equal!
It took 0.0883948802948 to finish
It took 0.23934412002563 to finish

第五次 :

They are equal!
It took 0.096112966537476 to finish
It took 0.23781609535217 to finish

結論 :

  1. 如果只有數字、英文、符號, 這兩者轉換後的結果完全沒差
  2. 但如果有包含中文, 結果就會不同。 htmlentities 會轉換中文
  3. htmlspecialchars 速度比 htmlentities 快 2.576 倍

參考資料 : http://blog.fesite.com/2007/08/23/php-htmlentities-htmlspecialchars/ http://www.sitepoint.com/forums/showthread.php?574723-don-t-use-htmlentities()-use-htmlspecialchars()-instead-faster-and-UTF-8-compat

Comments