To defend from SQL injection use prepared statements if possible. If not, use mysql_real_escape_string for strings, (int) casting or intval() for integers, (float) or floatval() for floats and addcslashes($input, '%_') for strings to be used inside LIKE statements. Things get even more complicated when trying to escape strings to be used inside RLIKE statements.

如果可能，为了防止 SQL 注入，请使用准备好的语句。如果不是，则对字符串使用 mysql_real_escape_string，对整数使用 (int) 转换或 intval()，对浮点数使用 (float) 或 floatval()，对要在 LIKE 语句中使用的字符串使用 addcslashes($input, '%_') 。尝试转义要在 RLIKE 语句中使用的字符串时，事情变得更加复杂。

For filtering HTML content, the best would be strip_tags (without passing $allowable_tags), but... you may not like/want it, in which case the most affordable solution is:

对于过滤 HTML 内容，最好的方法是 strip_tags（不传递 $allowable_tags），但是……您可能不喜欢/不想要它，在这种情况下，最实惠的解决方案是：

$escaped = htmlspecialchars($input, ENT_QUOTES, $your_charset);

A more reliable solution would be to use a library like HTML Purifier

更可靠的解决方案是使用像HTML Purifier这样的库

Filter functions are OK, but some of them are more validators than filters. Depending on your needs you may find some of them useful.

过滤器函数是可以的，但其中一些是比过滤器更多的验证器。根据您的需要，您可能会发现其中一些很有用。

You adjust filter_varby using it with the FILTER_*constants. It sounds like you're looking for sanitisationof data (actually adjusting the data to make it safe*) rather than validation(checking the data is safe).

您可以filter_var通过将其与FILTER_*常量一起使用来进行调整。听起来您正在寻找数据清理（实际上是调整数据以使其安全*）而不是验证（检查数据是否安全）。

Different filters can help with different tasks. While mysql_real_escape_stringis ok for sanitising data to prevent SQL injection it's no good for outputting data that may contain HTML. Here's a couple of filter's I'd use for everyday tasks:

不同的过滤器可以帮助完成不同的任务。虽然mysql_real_escape_string可以清理数据以防止 SQL 注入，但对于输出可能包含 HTML 的数据并不好。这是我用于日常任务的几个过滤器：

• FILTER_SANITIZE_SPECIAL_CHARS- useful for displaying (not removing) HTML code, preventing XSS attacks and converting symbols to HTML entities.
• FILTER_SANITIZE_STRINGwith the STRIP_LOW/HIGHflags - actually removes HTML (see strip_tags).
• FILTER_SANITIZE_URL- makes URLs safe*.
• FILTER_SANITIZE_EMAIL- makes email addresses safe, although I'd prefer to use it's validation cousin before storing the address.

• FILTER_SANITIZE_SPECIAL_CHARS- 用于显示（而不是删除）HTML 代码、防止 XSS 攻击和将符号转换为 HTML 实体。
• FILTER_SANITIZE_STRING带有STRIP_LOW/HIGH标志 - 实际上删除了 HTML（请参阅 参考资料strip_tags）。
• FILTER_SANITIZE_URL- 使 URL 安全*。
• FILTER_SANITIZE_EMAIL- 使电子邮件地址安全，尽管我更喜欢在存储地址之前使用它的验证表亲。

* I use safe loosely, I'm of the opinion that you can never be too sure.

* 我使用安全松散，我认为你永远不会太确定。

It all depends on what you mean by a valid url or a valid email.

这完全取决于您所说的有效网址或有效电子邮件的含义。

For example [email protected]- well, you could filter top level domains to exclude .cbut the list of top level domains is not constant. Moreover all the characters are valid. Even though this looks weird and is almost certainly not valid, many regex filters will validate it too.

例如[email protected]- 好吧，您可以过滤顶级域以排除，.c但顶级域列表不是恒定的。而且所有字符都是有效的。尽管这看起来很奇怪并且几乎肯定是无效的，但许多正则表达式过滤器也会对其进行验证。

With the email [email protected]or url http://.if displayed or used in links they will do no harm, even if they go nowhere.

如果在链接中显示或使用电子邮件[email protected]或 url http://.，即使它们无处可去，它们也不会造成任何伤害。

I think part of the issue is the question of how loose do you want your filters. If the big concern is XSSor SQL injectionor otherwise preventing dangerous input, whether or not the value is usable may be irrelevant, so this sort of filter may do the trick.

我认为问题的一部分是你想要你的过滤器有多松的问题。如果最大的问题是XSS或SQL 注入或以其他方式防止危险输入，则该值是否可用可能无关紧要，因此这种过滤器可能会起作用。

If you want to make sure the value is not just safe but also usable, that's a trickier beast.

如果您想确保该值不仅安全而且可用，这是一个更棘手的野兽。

It really depends what you're trying to do, I can't really answer without knowing specifics. The possible filters and their effects are listed here: Types of filters

这真的取决于你想要做什么，如果不知道具体情况，我无法真正回答。此处列出了可能的过滤器及其效果：过滤器类型

Just based on some minor testing, I've come to the conclusion that filter_var's constants are not trustworthy.

仅基于一些小测试，我得出的结论是filter_var的常量不值得信赖。

For example:

例如：

filter_var('[email protected]', FILTER_VALIDATE_EMAIL); // valid
filter_var('http://.', FILTER_VALIDATE_URL); // valid
filter_var('[email protected]', FILTER_SANITIZE_EMAIL); // [email protected]
filter_var('http://.', FILTER_SANITIZE_URL); // http://.

These are clearly invalid values, but pass filter_var's constants. Do not trust filter_var.

这些显然是无效的值，但是 passfilter_var的常量。不要相信filter_var。