Disadvantages of using htmlspecialchars to encode special characters in PHP

When using htmlspecialchars to encode special characters (&, ', ", <, >) in the parameters passed by the form (due to the need for security filtering when inserting into the database), the following problems will occur.

If the user uploads a file with special characters, such as ', the following problem will occur when the file name is saved to the database

If your server-side PHP code passes $_GET[' id'] indirectly to obtain its file name, and then transfer it to the client by name.

<?php    
$name = mysql_query('SELECT name FROM accessories');//通过 ID 获取文件名
//......获取文件......
$file_path = ROOT_PATH . '/uploads/accessories/'. $name;
header ( 'Content-Disposition: attachment; filename=' . urlencode ( $name ) );
header ( 'Content-type: application/octet-stream;' );
header ( 'Content-Length: ' . filesize ( $file_path ) );
readfile ( $file_path );
exit ();
?>?

Then the following file name error will occur when downloading

Personal homepage: https://plus.google.com/+sherlockwang/posts

Original link: http://woqilin.blogspot.com/2012/10/php-htmlspecialchars.html

The above has introduced the disadvantages of using htmlspecialchars to encode special characters in PHP, including the relevant aspects. I hope it will be helpful to friends who are interested in PHP tutorials.