Automatically escaping strings

string addslashes ( string source)

string stripslashes ( string source)

Very often you will work in situations where single quotes ', double quotes ", and backslashes \ can cause problems - databases, files, and some protocols require that you escape them with \, making \', \", and \\ respectively. Addslashes() takes a string as its only parameter, and returns the same string with these offending characters escaped so that they are safe for use.

In php.ini there is an option "magic_quotes_gpc" that you can set to enable "magic quotes" functionality. If enabled, PHP will automatically call addslashes() on every piece of data sent in from users, which can sometimes be a good thing. However, in reality it is often annoying - particularly when you plan to use your variables in other ways.

Note that calling addslashes() repeatedly will add more and more slashes, like this:

<?php

      $string = "I'm a lumberjack and I'm okay!";

      $a = addslashes($string);

      $b = addslashes($a);

      $c = addslashes($b);
 ?>

After running that code, you will have the following:

$a: I\'m a lumberjack and I\'m okay!

  $b: I\\\'m a lumberjack and I\\\'m okay!

  $c: I\\\\\\\'m a lumberjack and I\\\\\\\'m okay!

The reason the number of slashes increases so quickly is because PHP will add a slash before each single quote, as well as slashes before every double quote.

Addslashes() has a counterpart, stripslashes(), that removes one set of slashes. Continuing on from the previous code, we therefore can have:

<?php

      $d = stripslashes($c);

      $e = stripslashes($d);

      $f = stripslashes($e);
 ?>

After running the new code after the old code, we get:

$d: I\\\'m a lumberjack and I\\\'m okay!

  $e: I\'m a lumberjack and I\'m okay!

  $f: I'm a lumberjack and I'm okay!

Next chapter: Pretty-printing numbers >>

Previous chapter: Alternative data hashing

Jump to:

Home: Table of Contents