虽然编码字符是一件好事，但必须确保不要过度编码.

While encoding characters is a good thing, one must make sure not to over-encode.

仅对当时的/needs/进行编码.在将HTML放入数据库之前，请勿对HTML进行编码.您可能需要稍后打印出东西，或者可能要对其进行搜索.为SQL使用正确的转义序列(或者更好的是，使用PDO).

Only encode what /needs/ encoded at that time. Don't encode the HTML before putting it into your database. You may want to print things out later, or you may want to run searches against it. Use the proper escape sequences for SQL (or, better yet, use PDO).

仅在将内容发送到浏览器时，才应转义HTML，然后才需要确定所需的转义类型.要将<和&之类的内容转换为字符实体，以便它们正确显示，请使用右转义方法.

Only when you are sending things to the browser should you escape the HTML, and then you need to decide what kind of escaping you need. To convert things like < and & as the character entities so they will display properly, then use the right escape method for that.