Automatically escaping strings

string addslashes ( string source)

string stripslashes ( string source)

Very often you will work in situations where single quotes ', double quotes ", and backslashes \ can cause problems - databases, files, and some protocols require that you escape them with \, making \', \", and \\ respectively. Addslashes() takes a string as its only parameter, and returns the same string with these offending characters escaped so that they are safe for use.

In php.ini there is an option "magic_quotes_gpc" that you can set to enable "magic quotes" functionality. If enabled, PHP will automatically call addslashes() on every piece of data sent in from users, which can sometimes be a good thing. However, in reality it is often annoying - particularly when you plan to use your variables in other ways.

Note that calling addslashes() repeatedly will add more and more slashes, like this:

= "I'm a lumberjack and I'm okay!";
$a = addslashes($string);
$b = addslashes($a);
$c = addslashes($b);

After running that code, you will have the following:

$a: I\'m a lumberjack and I\'m okay!
$b: I\\\'m a lumberjack and I\\\'m okay!
$c: I\\\\\\\'m a lumberjack and I\\\\\\\'m okay!

The reason the number of slashes increases so quickly is because PHP will add a slash before each single quote, as well as slashes before every double quote.

Addslashes() has a counterpart, stripslashes(), that removes one set of slashes. Continuing on from the previous code, we therefore can have:

= stripslashes($c);
$e = stripslashes($d);
$f = stripslashes($e);

After running the new code after the old code, we get:

$d: I\\\'m a lumberjack and I\\\'m okay!
$e: I\'m a lumberjack and I\'m okay!
$f: I'm a lumberjack and I'm okay!


Next chapter: Pretty-printing numbers >>

Previous chapter: Alternative data hashing

Jump to:


Home: Table of Contents

Follow us on or Twitter

Username:   Password:
Create Account | About TuxRadar