<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>Quote string with slashes</title> </head> <body><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="function.addcslashes.html">addcslashes</a></div> <div class="next" style="text-align: right; float: right;"><a href="function.bin2hex.html">bin2hex</a></div> <div class="up"><a href="ref.strings.html">String Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div><hr /><div id="function.addslashes" class="refentry"> <div class="refnamediv"> <h1 class="refname">addslashes</h1> <p class="verinfo">(PHP 4, PHP 5, PHP 7)</p><p class="refpurpose"><span class="refname">addslashes</span> — <span class="dc-title">Quote string with slashes</span></p> </div> <div class="refsect1 description" id="refsect1-function.addslashes-description"> <h3 class="title">Description</h3> <div class="methodsynopsis dc-description"> <span class="type">string</span> <span class="methodname"><strong>addslashes</strong></span> ( <span class="methodparam"><span class="type">string</span> <code class="parameter">$str</code></span> )</div> <p class="para rdfs-comment"> Returns a string with backslashes added before characters that need to be escaped. These characters are: <ul class="simplelist"> <li class="member">single quote (<em>'</em>)</li> <li class="member">double quote (<em>"</em>)</li> <li class="member">backslash (<em>\</em>)</li> <li class="member">NUL (the NUL byte)</li> </ul> </p> <p class="para"> A use case of <span class="function"><strong>addslashes()</strong></span> is escaping the aforementioned characters in a string that is to be evaluated by PHP: <div class="informalexample"> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br />$str </span><span style="color: #007700">= </span><span style="color: #DD0000">"O'Reilly?"</span><span style="color: #007700">;<br />eval(</span><span style="color: #DD0000">"echo '" </span><span style="color: #007700">. </span><span style="color: #0000BB">addslashes</span><span style="color: #007700">(</span><span style="color: #0000BB">$str</span><span style="color: #007700">) . </span><span style="color: #DD0000">"';"</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> </div> </p> <p class="para"> Prior to PHP 5.4.0, the PHP directive <a href="info.configuration.html#ini.magic-quotes-gpc" class="link">magic_quotes_gpc</a> was <em>on</em> by default and it essentially ran <span class="function"><strong>addslashes()</strong></span> on all GET, POST and COOKIE data. <span class="function"><strong>addslashes()</strong></span> must not be used on strings that have already been escaped with <a href="info.configuration.html#ini.magic-quotes-gpc" class="link">magic_quotes_gpc</a>, as the strings will be double escaped. <span class="function"><a href="function.get-magic-quotes-gpc.html" class="function">get_magic_quotes_gpc()</a></span> can be used to check if <a href="info.configuration.html#ini.magic-quotes-gpc" class="link">magic_quotes_gpc</a> is <em>on</em>. </p> <p class="para"> The <span class="function"><strong>addslashes()</strong></span> is sometimes incorrectly used to try to prevent <a href="security.database.sql-injection.html" class="link">SQL Injection</a>. Instead, database-specific escaping functions and/or prepared statements should be used. </p> </div> <div class="refsect1 parameters" id="refsect1-function.addslashes-parameters"> <h3 class="title">Parameters</h3> <p class="para"> <dl> <dt> <code class="parameter">str</code></dt> <dd> <p class="para"> The string to be escaped. </p> </dd> </dl> </p> </div> <div class="refsect1 returnvalues" id="refsect1-function.addslashes-returnvalues"> <h3 class="title">Return Values</h3> <p class="para"> Returns the escaped string. </p> </div> <div class="refsect1 examples" id="refsect1-function.addslashes-examples"> <h3 class="title">Examples</h3> <p class="para"> <div class="example" id="example-6019"> <p><strong>Example #1 An <span class="function"><strong>addslashes()</strong></span> example</strong></p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br />$str </span><span style="color: #007700">= </span><span style="color: #DD0000">"Is your name O'Reilly?"</span><span style="color: #007700">;<br /><br /></span><span style="color: #FF8000">// Outputs: Is your name O\'Reilly?<br /></span><span style="color: #007700">echo </span><span style="color: #0000BB">addslashes</span><span style="color: #007700">(</span><span style="color: #0000BB">$str</span><span style="color: #007700">);<br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> </div> </p> </div> <div class="refsect1 seealso" id="refsect1-function.addslashes-seealso"> <h3 class="title">See Also</h3> <p class="para"> <ul class="simplelist"> <li class="member"><span class="function"><a href="function.stripcslashes.html" class="function" rel="rdfs-seeAlso">stripcslashes()</a> - Un-quote string quoted with addcslashes</span></li> <li class="member"><span class="function"><a href="function.stripslashes.html" class="function" rel="rdfs-seeAlso">stripslashes()</a> - Un-quotes a quoted string</span></li> <li class="member"><span class="function"><a href="function.addcslashes.html" class="function" rel="rdfs-seeAlso">addcslashes()</a> - Quote string with slashes in a C style</span></li> <li class="member"><span class="function"><a href="function.htmlspecialchars.html" class="function" rel="rdfs-seeAlso">htmlspecialchars()</a> - Convert special characters to HTML entities</span></li> <li class="member"><span class="function"><a href="function.quotemeta.html" class="function" rel="rdfs-seeAlso">quotemeta()</a> - Quote meta characters</span></li> <li class="member"><span class="function"><a href="function.get-magic-quotes-gpc.html" class="function" rel="rdfs-seeAlso">get_magic_quotes_gpc()</a> - Gets the current configuration setting of magic_quotes_gpc</span></li> </ul> </p> </div> </div><hr /><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="function.addcslashes.html">addcslashes</a></div> <div class="next" style="text-align: right; float: right;"><a href="function.bin2hex.html">bin2hex</a></div> <div class="up"><a href="ref.strings.html">String Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div></body></html>