<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>Quote string with slashes</title> </head> <body><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="function.addcslashes.html">addcslashes</a></div> <div class="next" style="text-align: right; float: right;"><a href="function.bin2hex.html">bin2hex</a></div> <div class="up"><a href="ref.strings.html">String Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div><hr /><div id="function.addslashes" class="refentry"> <div class="refnamediv"> <h1 class="refname">addslashes</h1> <p class="verinfo">(PHP 4, PHP 5)</p><p class="refpurpose"><span class="refname">addslashes</span> — <span class="dc-title">Quote string with slashes</span></p> </div> <div class="refsect1 description" id="refsect1-function.addslashes-description"> <h3 class="title">Description</h3> <div class="methodsynopsis dc-description"> <span class="type">string</span> <span class="methodname"><strong>addslashes</strong></span> ( <span class="methodparam"><span class="type">string</span> <code class="parameter">$str</code></span> )</div> <p class="para rdfs-comment"> Returns a string with backslashes before characters that need to be escaped. These characters are single quote (<em>'</em>), double quote (<em>"</em>), backslash (<em>\</em>) and NUL (the <strong><code>NULL</code></strong> byte). </p> <p class="para"> An example use of <span class="function"><strong>addslashes()</strong></span> is when you're entering data into string that is evaluated by PHP. For example, <em>O'reilly</em> is stored in $str, you need to escape $str. (e.g. eval("echo '".addslashes($str)."';"); ) </p> <p class="para"> To escape database parameters, DBMS specific escape function (e.g. <span class="function"><a href="mysqli.real-escape-string.html" class="function">mysqli_real_escape_string()</a></span> for MySQL or <span class="function"><a href="function.pg-escape-literal.html" class="function">pg_escape_literal()</a></span>, <span class="function"><a href="function.pg-escape-string.html" class="function">pg_escape_string()</a></span> for PostgreSQL) should be used for security reasons. DBMSes have differect escape specification for identifiers (e.g. Table name, field name) than parameters. Some DBMS such as PostgreSQL provides identifier escape function, <span class="function"><strong>pg_escape_indentifier()</strong></span>, but not all DBMS provides identifier escape API. If this is the case, refer to your database system manual for proper escaping method. </p> <p class="para"> If your DBMS doesn't have an escape function and the DBMS uses <em>\</em> to escape special chars, you might be able to use this function only when this escape method is adequate for your database. Please note that use of <span class="function"><strong>addslashes()</strong></span> for database parameter escaping can be cause of security issues on most databases. </p> <p class="para"> The PHP directive <a href="info.configuration.html#ini.magic-quotes-gpc" class="link"> magic_quotes_gpc</a> was <em>on</em> by default before PHP 5.4, and it essentially ran <span class="function"><strong>addslashes()</strong></span> on all GET, POST, and COOKIE data. Do not use <span class="function"><strong>addslashes()</strong></span> on strings that have already been escaped with <a href="info.configuration.html#ini.magic-quotes-gpc" class="link">magic_quotes_gpc</a> as you'll then do double escaping. The function <span class="function"><a href="function.get-magic-quotes-gpc.html" class="function">get_magic_quotes_gpc()</a></span> may come in handy for checking this. </p> </div> <div class="refsect1 parameters" id="refsect1-function.addslashes-parameters"> <h3 class="title">Parameters</h3> <p class="para"> <dl> <dt> <span class="term"><em><code class="parameter">str</code></em></span> <dd> <p class="para"> The string to be escaped. </p> </dd> </dt> </dl> </p> </div> <div class="refsect1 returnvalues" id="refsect1-function.addslashes-returnvalues"> <h3 class="title">Return Values</h3> <p class="para"> Returns the escaped string. </p> </div> <div class="refsect1 examples" id="refsect1-function.addslashes-examples"> <h3 class="title">Examples</h3> <p class="para"> <div class="example" id="example-4817"> <p><strong>Example #1 An <span class="function"><strong>addslashes()</strong></span> example</strong></p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br />$str </span><span style="color: #007700">= </span><span style="color: #DD0000">"Is your name O'reilly?"</span><span style="color: #007700">;<br /><br /></span><span style="color: #FF8000">// Outputs: Is your name O\'reilly?<br /></span><span style="color: #007700">echo </span><span style="color: #0000BB">addslashes</span><span style="color: #007700">(</span><span style="color: #0000BB">$str</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> </div> </p> </div> <div class="refsect1 seealso" id="refsect1-function.addslashes-seealso"> <h3 class="title">See Also</h3> <p class="para"> <ul class="simplelist"> <li class="member"> <span class="function"><a href="function.stripcslashes.html" class="function" rel="rdfs-seeAlso">stripcslashes()</a> - Un-quote string quoted with addcslashes</span></li> <li class="member"> <span class="function"><a href="function.stripslashes.html" class="function" rel="rdfs-seeAlso">stripslashes()</a> - Un-quotes a quoted string</span></li> <li class="member"> <span class="function"><a href="function.addcslashes.html" class="function" rel="rdfs-seeAlso">addcslashes()</a> - Quote string with slashes in a C style</span></li> <li class="member"> <span class="function"><a href="function.htmlspecialchars.html" class="function" rel="rdfs-seeAlso">htmlspecialchars()</a> - Convert special characters to HTML entities</span></li> <li class="member"> <span class="function"><a href="function.quotemeta.html" class="function" rel="rdfs-seeAlso">quotemeta()</a> - Quote meta characters</span></li> <li class="member"> <span class="function"><a href="function.get-magic-quotes-gpc.html" class="function" rel="rdfs-seeAlso">get_magic_quotes_gpc()</a> - Gets the current configuration setting of magic_quotes_gpc</span></li> </ul> </p> </div> </div><hr /><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="function.addcslashes.html">addcslashes</a></div> <div class="next" style="text-align: right; float: right;"><a href="function.bin2hex.html">bin2hex</a></div> <div class="up"><a href="ref.strings.html">String Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div></body></html>