Programmer's Corner - Forms and Addslashes / Stripslashes

Backup and Security Solutions 10% off all products with promo code: VISI-P1YR
Get the Programmer's Corner FireFox Search Plug-In

Forms and Addslashes/Stripslashes

Processing a form with PHP is a relatively simple procedure. However new PHP codes may become confused when they process a form and find that there have been slashes added to some text. Or when they retrieve some text from a database and find that a portion of their text has gone missing. Thankfully PHP makes this easy on us by providing two functions: addslashes() and stripslashes().

Both functions work in the same manner. They take a string as an argument and return a string value from the function.

string stripslashes(string str)
string addslashes(string str)

When you set up PHP magic_quotes_gpc is ON by default. What this means is that the magic_quotes state for GPC (the Get/Post/Cookie) operations is turned on and all ' (single quotes), " (double quotes), \ (backslashes) and NUL's will be automatically escaped with a backslash.

What does that mean to you? It means that if you have a form that passes information to another page (or the same page) that variables with ' " \ or a NUL byte will now have the escape character \ before the original character.

So if you had a form that asked for a famous quote and someone typed in:

"It's not easy being green" -Kermit the Frog

If you displayed the quote on page you would see:

\"It\'s not easy being green\" -Kermit the Frog

The reason that PHP does this is that if you are going to be adding the variable to a database, those four characters usually have to be escaped to enter them properly into the database. If you had the magic_quotes_gpc turned off then you would have to remember to escape the characters yourself before entering the info into a database.

This might be easier if we use an example - we'll use the quote form we mentioned above.

PHP Famous Quote Form

The form below can be used if you'd like to test it out. However, because of various settings with PHP you may have to adapt the code to work.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html>
<head> <title>Famous Quote Form</title> </head>
<body>
<?php

$check = $_POST['check'];

if($check != "y"){
  echo "
    <form method=\"post\" action=\"$PHP_SELF\">
    <textarea name=\"quote\"></textarea>
    <input type=\"hidden\" name=\"check\" value=\"y\" />
    <input type=\"submit\" />
    </form>
  ";
}else{
  $quote = $_POST['quote'];
  echo $quote;
}

?>
</body>
</html>

When the above is run with a quote in the textarea box that contains any of the four characters that need to be escaped we will see the escape character (backslash) before the character. Like the example quote we first mentioned ("It's not easy being green" -Kermit the Frog).

PHP Default

Stripslashes

Now assume that we didn't want the escape character to be there when we showed the quote to the person entering it. This is when the stripslashes() function would come into play.

We replace the line:
echo $quote;

With the lines:
$quote = stripslashes($quote);
echo $quote;

We'd get the desired result:

PHP Stripslashes

Addslashes

After we have striped the slashes from the quote we can display the quote the way it was meant to be seen on a web page or even in a file. However if we wanted to add the quote to a database we would probably get an error or we may even find that the quote gets cut short because of the single or double quotes in the variable. Before we add the variable to a database we would need to make sure that the quote had the proper characters escaped. This is where the addslashes() function would come into play.

Assume that we still have the lines above in our script. Where we replaced the line:
echo $quote;

With the lines:
$quote = stripslashes($quote);
echo $quote;

Now after we've shown the quote to the viewer we wanted to add the quote to a database. We would need to add the escape character to the single and double quotes. So after the line:
echo $quote;

We could add the line:
$quote = addslashes($quote);

And then enter the variable $quote into the database with the appropriate code.

Notes

Keep in mind that we didn't need to keep resetting the variable ($quote) in this example. We could have simply echoed out the variable with a line like:

echo stripslashes($quote);

And then just used the same variable ($quote) to enter into a database if we wanted. I just reset the variable to show you that the addslashes() and stripslashes() functions take in a string as an argument and return a string when complete.

Also keep in mind that there are other functions, quotemeta(), addcslashes() and stripcslashes(), which have their own uses in other areas, but for forms and submitting to databases, aren't really needed.

Author Information:

Dan Gronitz

http://www.dmgdd.com

Comments:

Add your comments here.

Name

Comment

You can also send feedback to feedback@programmers-corner.com

There are currently no comments available.