PhpDig.net
Download - PHP Reference - Links - Demo 1.8.9 RC1 - API
License - Credits - Copying - Changelog - Documentation

PhpDig.net
What is PhpDig?
PhpDig is a PHP MySQL based
Web Spider & Search Engine.




addslashes
Prev  LVIII. String Functions  Next

addslashes

Name

addslashes — Escapes all backslashes, null bytes, and single or double quotes in a given string.

Synopsis

string addslashes(string);
string string: String to escape

Returns

String with special characters escaped

Description

addslashes() is usually used to prepare a string for storage in a database or some kind of delimited format such as comma-separated values (CSV). The function places a single backslash in front of any backslashes (\), quotes (" or '') or null (\0) bytes in the string argument. This prevents the contents of the string from accidentally "breaking" the quoting of whatever format the string is being stored in. See the first example for a practical demonstration of how this can happen.

Version

PHP 3+, PHP 4+

See also

To escape or unescape strings:

addcslashes()

escapeshellarg()

escapeshellcmd()

htmlentities()

htmlspecialchars()

quotemeta()

stripcslashes()

stripslashes()



Example

Example 1186. Prepare a string for use in a MySQL query 

<?php
// Database connection code omitted for brevity
// ...

// Pretend that $HTTP_POST_VARS['comment'] came from a user posting a form
$HTTP_POST_VARS['comment'] = "Why haven't you updated your site for 2 months?";

// Insert data straight from a form into a database
// Suppress any errors that are generated
$query = "INSERT INTO user (comment) VALUES '$HTTP_POST_VARS[comment]'";
$query_handle = @ mysql_query($query);

if (mysql_errno())
    echo 'MySQL did not like the query! It returned the following error:<br /><i>'
    . mysql_error() . '</i><br /><br />';

echo <<<HEREDOC
   <b>Here is what went wrong:</b><br />
   \$HTTP_POST_VARS['comment'] contained: "<i>$HTTP_POST_VARS[comment]</i>".<br />
   We built a query with it that looked like: "<i>$query</i>"<br />
   The single quote (') that already existed in the string caused the single
   quotes used to delimit the value for the <i>comment</i> field to end prematurely,
   giving us a syntax error in our query.<br /><br />
HEREDOC;


// Here is a better way to do it.

// Clean user input from an HTML form
// Remove trailing and leading whitespace with trim()
// ...then escape quotes, null bytes, and backslashes with addslashes()
$clean_data = addslashes(trim($HTTP_POST_VARS['comment']))
    or die("Please fill out the <i>Comments</i> field.");

// Insert data into database
$query = "INSERT INTO user (comment) VALUES '$clean_data'";
$query_handle = @ mysql_query($query);

echo <<<HEREDOC
   <b>Here is what we did to fix it:</b><br />
   We passed the form data to addslashes(), which converted them to: "<i>$clean_data</i>"<br />
   We then built a query with the cleaned data that looked like this: "<i>$query</i>"<br />

   See how the single quote (') that already existed in the string is escaped - this prevented
   the single quotes used to delimit the value for the <i>comment</i> field from ending prematurely.
   <br /><br />
HEREDOC;
?>

Example 1187. Show how addslashes() transforms a string 

<?php
echo "Before addslashes():\n";
echo $quote = <<<QUOTE
 "We all felt the majesty of the body...
  As we saw the artificial heart beat...
  the feeling was not aren't we great,
  but aren't we small."
              --- Dr William C DeVries\0\n\n
QUOTE;

echo "After addslashes():\n";
echo $cleaned_quote = addslashes($quote);
?>

Output:
Before addslashes():
 "We all felt the majesty of the body...
  As we saw the artificial heart beat...
  the feeling was not aren't we great,
  but aren't we small."
              --- Dr William C DeVries

After addslashes():
 \"We all felt the majesty of the body...
  As we saw the artificial heart beat...
  the feeling was not aren\'t we great,
  but aren\'t we small.\"
              --- Dr William C DeVries\0
Prev  Home  Next
addcslashes  Up  bin2hex


PHP Functions Essential Reference. Copyright © 2002 by New Riders Publishing (Authors: Zak Greant, Graeme Merrall, Torben Wilson, Brett Michlitsch). This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/). The authors of this book have elected not to choose any options under the OPL. This online book was obtained from http://www.fooassociates.com/phpfer/ and is designed to provide information about the PHP programming language, focusing on PHP version 4.0.4 for the most part. The information is provided on an as-is basis, and no warranty or fitness is implied. All persons and entities shall have neither liability nor responsibility to any person or entity with respect to any loss or damage arising from the information contained in this book.

Contact - PhpDig.net - Archive - Top
Powered by: vBulletin Version 3.0.7
Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Copyright © 2001 - 2005, ThinkDing LLC. All Rights Reserved.