When using htmlspecialchars to encode special characters (&, ', ", <, >) in the parameters passed by the form (due to the need for security filtering when inserting into the database), the following problems will occur.
If the user uploads a file with special characters, such as ', the following problem will occur when the file name is saved to the database
If your server-side PHP code passes $_GET[' id'] indirectly to obtain its file name, and then transfer it to the client by name.
<?php
$name = mysql_query('SELECT name FROM accessories');//通过 ID 获取文件名
//......获取文件......
$file_path = ROOT_PATH . '/uploads/accessories/'. $name;
header ( 'Content-Disposition: attachment; filename=' . urlencode ( $name ) );
header ( 'Content-type: application/octet-stream;' );
header ( 'Content-Length: ' . filesize ( $file_path ) );
readfile ( $file_path );
exit ();
?>?Then the following file name error will occur when downloading
Personal homepage: https://plus.google.com/+sherlockwang/posts
The above has introduced the disadvantages of using htmlspecialchars to encode special characters in PHP, including the relevant aspects. I hope it will be helpful to friends who are interested in PHP tutorials.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
