Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

addslashes(3) [php man page]

ADDSLASHES(3)								 1							     ADDSLASHES(3)

addslashes - Quote string with slashes

SYNOPSIS

       string addslashes (string  $str)

DESCRIPTION

	Returns  a  string  with backslashes before characters that need to be escaped. These characters are single quote ( '), double quote ( "),
       backslash ( ) and NUL (the NULL byte).

	An example use of addslashes(3) is when you're entering data into string that is evaluated by PHP. For	example,  O'Reilly  is	stored	in
       $str, you need to escape $str. (e.g. eval("echo '".addslashes($str)."';"); )

	To  escape  database  parameters,  DBMS  specific  escape  function  (e.g. mysqli_real_escape_string(3) for MySQL or pg_escape_literal(3),
       pg_escape_string(3) for PostgreSQL) should be used for security reasons. DBMSes have differect escape specification for	identifiers  (e.g.
       Table name, field name) than parameters. Some DBMS such as PostgreSQL provides identifier escape function, pg_escape_identifier(3), but not
       all DBMS provides identifier escape API. If this is the case, refer to your database system manual for proper escaping method.

	If your DBMS doesn't have an escape function and the DBMS uses  to escape special chars, you might be able to use this function only when
       this  escape  method  is  adequate for your database. Please note that use of addslashes(3) for database parameter escaping can be cause of
       security issues on most databases.

	The PHP directive  magic_quotes_gpc was on by default before PHP 5.4, and it essentially ran addslashes(3) on all GET,	POST,  and  COOKIE
       data. Do not use addslashes(3) on strings that have already been escaped with magic_quotes_gpc as you'll then do double escaping. The func-
       tion get_magic_quotes_gpc(3) may come in handy for checking this.

PARAMETERS

	      o $str
		- The string to be escaped.

RETURN VALUES

	Returns the escaped string.

EXAMPLES

       Example #1

	      An addslashes(3) example

	      <?php
	      $str = "Is your name O'Reilly?";

	      // Outputs: Is your name O'Reilly?
	      echo addslashes($str);
	      ?>

SEE ALSO

       stripcslashes(3), stripslashes(3), addcslashes(3), htmlspecialchars(3), quotemeta(3), get_magic_quotes_gpc(3).

PHP Documentation Group 													     ADDSLASHES(3)

Check Out this Related Man Page

MYSQL_ESCAPE_STRING(3)							 1						    MYSQL_ESCAPE_STRING(3)

mysql_escape_string - Escapes a string for use in a mysql_query

SYNOPSIS

       Warning

	      This  function  was deprecated in PHP 4.3.0, and will be removed in the future, along with the entirety of the original MySQL exten-
	      sion. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API guide  and  related  FAQ  for  more
	      information. Alternatives to this function include:

		     omysqli_escape_string(3)

		     o PDO::quote

       string mysql_escape_string (string  $unescaped_string)

DESCRIPTION

	This function will escape the $unescaped_string, so that it is safe to place it in a mysql_query(3). This function is deprecated.

	This  function	is identical to mysql_real_escape_string(3) except that mysql_real_escape_string(3) takes a connection handler and escapes
       the string according to the current character set. mysql_escape_string(3) does not take a connection argument and does not respect the cur-
       rent charset setting.

	      o $unescaped_string
		- The string that is to be escaped.

	Returns the escaped string.

       +--------+---------------------------------------------------+
       |Version |						    |
       |	|						    |
       |	|		     Description		    |
       |	|						    |
       +--------+---------------------------------------------------+
       | 5.3.0	|						    |
       |	|						    |
       |	|  This function now throws an E_DEPRECATED notice. |
       |	|						    |
       | 4.3.0	|						    |
       |	|						    |
       |	|  This function became deprecated, do not use this |
       |	| function.		 Instead,		use |
       |	| mysql_real_escape_string(3).			    |
       |	|						    |
       +--------+---------------------------------------------------+
       Example #1

	      mysql_escape_string(3) example

	      <?php
	      $item = "Zak's Laptop";
	      $escaped_item = mysql_escape_string($item);
	      printf("Escaped string: %s
", $escaped_item);
	      ?>

	      The above example will output:

	      Escaped string: Zak's Laptop

       Note

	      mysql_escape_string(3) does not escape % and _.

       mysql_real_escape_string(3), addslashes(3), The magic_quotes_gpc directive..

PHP Documentation Group 												    MYSQL_ESCAPE_STRING(3)
Man Page