Automatically escaping strings

string addslashes ( string source)

string stripslashes ( string source)

Very often you will work in situations where single quotes ', double quotes ", and backslashes \ can cause problems - databases, files, and some protocols require that you escape them with \, making \', \", and \\ respectively. Addslashes() takes a string as its only parameter, and returns the same string with these offending characters escaped so that they are safe for use.

Although you can use addslashes() with databases, it's not recommended because it escapes only quotes, which leaves some other potentially dangerous text in your input. If you're looking to escape strings for databases, you should use mysqli_real_escape_string() or the equivalent for your database.

Note that calling addslashes() repeatedly will add more and more slashes, like this:

    $string = "I'm a lumberjack and I'm okay!";
    $a = addslashes($string);
    $b = addslashes($a);
    $c = addslashes($b);

After running that code, you will have the following:

$a: I\'m a lumberjack and I\'m okay!
$b: I\\\'m a lumberjack and I\\\'m okay!
$c: I\\\\\\\'m a lumberjack and I\\\\\\\'m okay!

The reason the number of slashes increases so quickly is because PHP will add a slash before each single quote, as well as slashes before every double quote.

Addslashes() has a counterpart, stripslashes(), that removes one set of slashes. Continuing on from the previous code, we therefore can have:

    $d = stripslashes($c);
    $e = stripslashes($d);
    $f = stripslashes($e);

After running the new code after the old code, we get:

$d: I\\\'m a lumberjack and I\\\'m okay!
$e: I\'m a lumberjack and I\'m okay!
$f: I'm a lumberjack and I'm okay!


If this was helpful, please take a moment to tell others about Hacking with PHP by tweeting about it!

Next chapter: Pretty-printing numbers >>

Previous chapter: Alternative data hashing

Jump to:


Home: Table of Contents

Copyright ©2015 Paul Hudson. Follow me: @twostraws.