URL filtering in php, filter_var or htmlentities

For a secure url query, what is more secure? filter_var($string, FILTER_SANITIZE_SPECIAL_CHARS) or htmlen开发者_开发问答tities ?

The first one is clearly designed for such a purpose.

What are you defending against? A vulnerability is highly dependent on how the data is being used. Its impossible to create 1 function call that protects against everything, and mixing protection systems (like xss and sql injection) is a very bad idea.

For XSS you should use: htmlspecialchars($var, ENT_QUOTES);

For Sql Injection in mysql you should use mysql_real_escape_string($var);

If you are passing user input to system() or another similar function then you should use escapeshellarg($var);

These are the top 3 and mixing these will cause nothing but problems.