我想做的就是将 html 注入转义到我的输入文本框中。我没有正确使用 htmlentities 吗？

代码：

<?php

   require_once "pdo.php";

   // Demand a GET parameter

   if ( ! isset($_GET['name']) || strlen($_GET['name']) < 1  ) {

       die('Name parameter missing');

   } else {

       $username = $_GET['name'];

   }

   // If the user requested logout go back to index.php

   if ( isset($_POST['logout']) ) {

       header('Location: index.php');

       return;

   }

   $year = isset($_POST['year']) ? $_POST['year'] : '';

   $mileage = isset($_POST['mileage']) ? $_POST['mileage'] : '';

   $make = isset($_POST['make']) ? $_POST['make'] : '';

   $failure = false;

   $success = false;

   if ( isset($_POST['make']) && isset($_POST['year']) 

        && isset($_POST['mileage'])) {

       //$year = $_POST['year'];

       //$mileage = $_POST['mileage'];

       //$make = $_POST['make'];

       if ( strlen($make) < 1){

           $failure = "Make is Required";

       } else {       

           if (is_numeric($year) and is_numeric($mileage) ){

               error_log("year is a number ".$_POST['year']);        

               error_log("Mileage is a number ".$_POST['mileage']);

               $sql = "INSERT INTO autos (make, year, mileage) 

                 VALUES (:make, :year, :mileage)";

               $stmt = $pdo->prepare($sql);

               $stmt->execute(array(

               ':make' => $make,

               ':year' => $year,

               ':mileage' => $mileage));

               $success = "Record Inserted";      

           } else {

               $failure = "Mileage and Year must be numeric";

               error_log("year or mileage is not a number year=".$_POST['year']);        

               error_log("Mileage or year is not a number mileage=".$_POST['mileage']);

           }

       }

   }

输出不会转义见截图：