PHP Strings Primer - Adding and Removing Slashes
(Page 18 of 37 )
The functionality of the 'addslashes()' and 'stripslashes()' functions is straightforward and to the point. Any data passed to the 'addslashes()' function will be returned with the characters mentioned earlier escaped. Conversely, passing data that has characters escaped by slashes to the 'stripslashes()' function will remove said slashes. Let's take a look at a couple of simple examples to demonstrate these points.
<?php
$text = "I'm going home.";
$slashed = addslashes ($text);
echo $slashed;
?> |
The output from this code would be:
Now, let's do the reverse to see how the slashes are removed.
<?php
$slashed = "I\'m going home.";
$text = stripslashes ($slashed);
echo $text;
?> |
From which the output would be:
When should you add slashes?Adding slashes to your data is needed in situations that you will be storing that data in a database. If you don't properly escape data with slashes before inserting it into a database, your queries run the risk of failing. The key is knowing when you should or should not add slashes.
Knowing when to add and remove slashes from strings has been a subject of confusion for many PHP programmers. The culprit behind the confusion is the 'magic_quotes_gpc' directive. This is a setting that can be configured through the PHP configuration file. It can also be set for a particular directory on the web server or on a script by script basis by using the ini_set()' function. When this directive is enabled PHP will automatically add slashes to certain data, making it unnecessary for us to do so. The confusion comes in because programmers don't know when they should, and when they shouldn't, add slashes.
To eliminate this confusion, let's first examine the 'magic_quotes_gpc' directive and determine when and how it operates. The data that will be escaped when this directive is enabled is any data from a GET, POST, or cookie operation. So, any data received from a HTML form, data that comes from variables specified in the URL's query string, and any data from a cookie will be escaped with slashes.
When this directive is enabled, it will operate just as if we had sent the data through the 'addslashes()' function. If we run the same data through the 'addslashes()' function, the data will end up with too many backslashes and confusion will set in. Luckily, there is an easy way for us to determine if we need to add slashes or not. PHP supplies us with a function named 'get_magic_quotes_gpc()'. This function will return a '0' if the 'magic_quotes_gpc' directive is off and a '1' if it is on. By utilizing this function, we can dynamically decide whether we should add slashes or not.
<?php
if (!get_magic_quotes_gpc()) {
   $data = addslashes ($_POST['somvariable']);
} else {
   $data = $_POST['somvariable'];
}
?> |
The code snippet above shows how we can use the 'get_magic_quotes_gpc' function to determine if adding slashes is necessary. In this example, we are taking data from a form via the POST method. Remember, 'magic_quotes_gpc' only affects data that comes from the GET, POST, and cookie methods. All other data will not be affected and should be properly escaped with 'addslashes()'.
There are two other functions that are very similar to addslashes() and stripslashes(). They are addcslashes() and stripcslashes(). The difference of these two functions is they will escape many more characters than the originally presented functions. They also require that you provide a list of characters that should be escaped. For most purposes, the normal addslashes() and stripslashes() functions will do all you need and there shouldn't be a need to use the second pair of functions we have just mentioned.
Next: Dealing with HTML Tags and Entities >>
More Programming Basics Articles
More By Matt Wade
/ 11 
