PHP addslashes and stripslashes explained
Jul 14, 2025 am 02:05 AM
addslashes adds backslashes to quotes and specific characters, while stripslashes removes them. These functions are used for escaping strings in PHP but have limited use cases. 1. addslashes prevents issues by escaping quotes in dynamic content like SQL queries or HTML attributes. 2. It is useful in legacy code, non-database contexts, or manual JSON generation but should not be relied on for SQL due to risks like double escaping and SQL injection. 3. Instead, modern practices recommend prepared statements or database-specific escaping functions. 4. stripslashes removes added slashes, mainly for cleaning up old over-escaped data. 5. Using both together is discouraged as it may cancel effects and introduce bugs or security risks. Proper context-specific escaping methods are preferred over these functions.
!["PHP]("https://img.php.cn/upload/article/000/000/000/175242991145570.jpg")
When dealing with strings in PHP, especially when handling user input for databases or HTML output, addslashes and stripslashes are two functions you might come across. They help manage quotes in strings, but they're often misunderstood or misused.
!["PHP]("https://img.php.cn/upload/article/000/000/000/175242991330627.jpeg")
What addslashes does
The main job of addslashes is to add backslashes before certain characters — specifically single quotes ('), double quotes ("), backslashes (\), and the NUL byte (ASCII 0). This helps prevent issues like breaking SQL queries or HTML attributes when inserting dynamic content.
For example:
!["PHP]("https://img.php.cn/upload/article/000/000/000/175242991483748.jpeg")
$input = "Hello, I'm learning PHP!"; echo addslashes($input); // Output: Hello, I\'m learning PHP!
This function doesn't know about context — it just blindly escapes those four characters. So if you're inserting into a database, it's not always the right tool (more on that later).
When to use addslashes
There are a few specific cases where addslashes might still be useful:
!["PHP]("https://img.php.cn/upload/article/000/000/000/175242991522876.jpeg")
- You're working with legacy code that doesn’t support prepared statements.
- You need to escape data going into a non-database context like a shell command or a config file.
- You're generating JSON manually and want to make sure quotes don't break formatting.
Still, in most modern applications, especially when interacting with databases, there are better options.
Why not rely on addslashes for SQL?
Using addslashes for database queries can lead to problems. It’s prone to double escaping, under-escaping, and even security issues like SQL injection, especially if character encoding tricks are involved.
Instead of addslashes, you should:
- Use prepared statements with PDO or MySQLi.
- Let your database library handle escaping via functions like
PDO::quote()ormysqli_real_escape_string(). - Always bind parameters instead of interpolating values directly into queries.
These approaches are safer and more robust than trying to manually escape everything.
What stripslashes does
If addslashes adds slashes, then stripslashes does the opposite — it removes them. It looks for backslashes before quotes and strips them out.
Example:
$input = "I\\\"m writing code!"; echo stripslashes($input); // Output: I"m writing code!
This function is mostly useful when magic_quotes_gpc was enabled (which is now deprecated and removed as of PHP 5.4). If you're dealing with old systems or legacy data that has been over-escaped, this can help clean things up.
Should you use both together?
Not usually. Using addslashes followed by stripslashes cancels both out and can introduce bugs, especially if data contains legitimate backslashes.
Also, using stripslashes on untrusted data before validating or sanitizing it can expose your app to injection risks. Handle escaping at the right time — only when needed for a specific context like output or query building.
So unless you're cleaning up escaped data from an older system, combining these two isn't recommended.
In short, addslashes and stripslashes have their uses, but they’re limited and easy to misuse. Stick to proper escaping and sanitization tools based on what you're doing — whether it's SQL insertion, HTML output, or JSON encoding.
The above is the detailed content of PHP addslashes and stripslashes explained. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How Do Generators Work in PHP?
Jul 11, 2025 am 03:12 AM
AgeneratorinPHPisamemory-efficientwaytoiterateoverlargedatasetsbyyieldingvaluesoneatatimeinsteadofreturningthemallatonce.1.Generatorsusetheyieldkeywordtoproducevaluesondemand,reducingmemoryusage.2.Theyareusefulforhandlingbigloops,readinglargefiles,or
How to access a character in a string by index in PHP
Jul 12, 2025 am 03:15 AM
In PHP, you can use square brackets or curly braces to obtain string specific index characters, but square brackets are recommended; the index starts from 0, and the access outside the range returns a null value and cannot be assigned a value; mb_substr is required to handle multi-byte characters. For example: $str="hello";echo$str[0]; output h; and Chinese characters such as mb_substr($str,1,1) need to obtain the correct result; in actual applications, the length of the string should be checked before looping, dynamic strings need to be verified for validity, and multilingual projects recommend using multi-byte security functions uniformly.
How to prevent session hijacking in PHP?
Jul 11, 2025 am 03:15 AM
To prevent session hijacking in PHP, the following measures need to be taken: 1. Use HTTPS to encrypt the transmission and set session.cookie_secure=1 in php.ini; 2. Set the security cookie attributes, including httponly, secure and samesite; 3. Call session_regenerate_id(true) when the user logs in or permissions change to change to change the SessionID; 4. Limit the Session life cycle, reasonably configure gc_maxlifetime and record the user's activity time; 5. Prohibit exposing the SessionID to the URL, and set session.use_only
How to URL encode a string in PHP with urlencode
Jul 11, 2025 am 03:22 AM
The urlencode() function is used to encode strings into URL-safe formats, where non-alphanumeric characters (except -, _, and .) are replaced with a percent sign followed by a two-digit hexadecimal number. For example, spaces are converted to signs, exclamation marks are converted to!, and Chinese characters are converted to their UTF-8 encoding form. When using, only the parameter values ??should be encoded, not the entire URL, to avoid damaging the URL structure. For other parts of the URL, such as path segments, the rawurlencode() function should be used, which converts the space to . When processing array parameters, you can use http_build_query() to automatically encode, or manually call urlencode() on each value to ensure safe transfer of data. just
PHP get the first N characters of a string
Jul 11, 2025 am 03:17 AM
You can use substr() or mb_substr() to get the first N characters in PHP. The specific steps are as follows: 1. Use substr($string,0,N) to intercept the first N characters, which is suitable for ASCII characters and is simple and efficient; 2. When processing multi-byte characters (such as Chinese), mb_substr($string,0,N,'UTF-8'), and ensure that mbstring extension is enabled; 3. If the string contains HTML or whitespace characters, you should first use strip_tags() to remove the tags and trim() to clean the spaces, and then intercept them to ensure the results are clean.
PHP get the last N characters of a string
Jul 11, 2025 am 03:17 AM
There are two main ways to get the last N characters of a string in PHP: 1. Use the substr() function to intercept through the negative starting position, which is suitable for single-byte characters; 2. Use the mb_substr() function to support multilingual and UTF-8 encoding to avoid truncating non-English characters; 3. Optionally determine whether the string length is sufficient to handle boundary situations; 4. It is not recommended to use strrev() substr() combination method because it is not safe and inefficient for multi-byte characters.
How to set and get session variables in PHP?
Jul 12, 2025 am 03:10 AM
To set and get session variables in PHP, you must first always call session_start() at the top of the script to start the session. 1. When setting session variables, use $_SESSION hyperglobal array to assign values ??to specific keys, such as $_SESSION['username']='john_doe'; it can store strings, numbers, arrays and even objects, but avoid storing too much data to avoid affecting performance. 2. When obtaining session variables, you need to call session_start() first, and then access the $_SESSION array through the key, such as echo$_SESSION['username']; it is recommended to use isset() to check whether the variable exists to avoid errors
How to prevent SQL injection in PHP
Jul 12, 2025 am 03:02 AM
Key methods to prevent SQL injection in PHP include: 1. Use preprocessing statements (such as PDO or MySQLi) to separate SQL code and data; 2. Turn off simulated preprocessing mode to ensure true preprocessing; 3. Filter and verify user input, such as using is_numeric() and filter_var(); 4. Avoid directly splicing SQL strings and use parameter binding instead; 5. Turn off error display in the production environment and record error logs. These measures comprehensively prevent the risk of SQL injection from mechanisms and details.
