Главная | Руководство по MySQL | MySQL Manual | Документация к HTTP серверу Apache | Apache HTTP Server Documentation | downloads | faq

искать  Язык: Английский


stripslashes

(PHP 4, PHP 5)

stripslashesУдаляет экранирование символов, произведенное функцией addslashes()

Описание

string stripslashes ( string $str )

Удаляет экранирующие бэкслэши. (\' преобразуется в ', и т.д.). Двойные бэкслэши (\\) преобразуется в одиночные(\).

stripslashes() используется, например, когда директива конфигурации magic_quotes_gpc включена (она включена по умолчанию), и экранирование символов не требуется. Например, данные не вставляются в базу данных, а просто выводятся в браузер.

Пример #1 Пример использования stripslashes()

<?php
$str 
"Is your name O\'reilly?";

// выводит: Is your name O'reilly?
echo stripslashes($str);
?>

См. также описание функций addslashes() и get_magic_quotes_gpc().


User Contributed Notes
stripslashes
hawkeye at conreports dot de
21-Jan-2010 01:01
Another way to strip slashes only if necessary, independent of magic_quotes_gpc by comparing the count of (possibly) escaped characters and original characters.

<?php
function smartstripslashes($str) {
 
$cd1 = substr_count($str, "\"");
 
$cd2 = substr_count($str, "\\\"");
 
$cs1 = substr_count($str, "'");
 
$cs2 = substr_count($str, "\\'");
 
$tmp = strtr($str, array("\\\"" => "", "\\'" => ""));
 
$cb1 = substr_count($tmp, "\\");
 
$cb2 = substr_count($tmp, "\\\\");
  if (
$cd1 == $cd2 && $cs1 == $cs2 && $cb1 == 2 * $cb2) {
    return
strtr($str, array("\\\"" => "\"", "\\'" => "'", "\\\\" => "\\"));
  }
  return
$str;
}
?>
eugene at ultimatecms dot co dot za
23-Nov-2009 01:03
This is a simple function to remove the slashes added by functions such as magic_quotes_gpc and mysql_escape_string etc.

<?php

function no_magic_quotes($query) {
       
$data = explode("\\",$query);
       
$cleaned = implode("",$data);
        return
$cleaned;
}

// I'm using mysql_escape_string as a simple example, but this function would work for any escaped string.
$query = "It's amaizing! Who's to say this isn't a simple function?";
$badstring = mysql_escape_string($query);

echo
'<b>Without funtion:</b> '.$badstring;
echo
'<br><br>';
echo
'<b>With function:</b> '.no_magic_quotes($badstring);

?>

Output:
Without funtion: It\'s amaizing! Who\'s to say this isn\'t a simple function?

With function: It's amaizing! Who's to say this isn't a simple function?
michal at roszka dot pl
01-Sep-2009 03:00
The goal is to leave the input untouched in PHP 5.2.8. Let's have this sample text given in $_POST['example']:

a backslash ( \ ), a single-quote ( ' ), a double-quote ( " ) and a null character ( \0 )

Let's have two simple scripts:

Script A:
<?php echo $_POST['example']; ?>

Script B:
<?php echo stripslashes($_POST['example']); ?>

Let's have four different configurations and corresponding output:

Case #1:

 * magic_quotes_gpc = Off
 * magic_quotes_sybase = Off

A: a backslash ( \ ), a single-quote ( ' ), a double-quote ( " ) and a null character ( \0 )
B: a backslash (  ), a single-quote ( ' ), a double-quote ( " ) and a null character ( �_ )

Case #2

 * magic_quotes_gpc = On
 * magic_quotes_sybase = Off

A: a backslash ( \\ ), a single-quote ( \' ), a double-quote ( \" ) and a null character ( \\0 )
B: a backslash ( \ ), a single-quote ( ' ), a double-quote ( " ) and a null character ( \0 )

Case #3

 * magic_quotes_gpc = On
 * magic_quotes_sybase = On
 
A: a backslash ( \ ), a single-quote ( '' ), a double-quote ( " ) and a null character ( \0 )
B: a backslash ( \ ), a single-quote ( ' ), a double-quote ( " ) and a null character ( �_ )

Case #4

 * magic_quotes_gpc = Off
 * magic_quotes_sybase = On

A: a backslash ( \ ), a single-quote ( ' ), a double-quote ( " ) and a null character ( \0 )
B: a backslash (  ), a single-quote ( ' ), a double-quote ( " ) and a null character ( �_ )

Conclusions:

1) we do not need to do anything, if the magic_quotes_gpc is disabled (cases 1 and 4);
2) stripslashes($_POST['example']) only works, if the magic_quotes_gpc is enabled, but the magic_quotes_sybase is disabled (case 2);
3) str_replace("''", "'", $_POST['example']) will do the trick if both the magic_quotes_gpc and the magic_quotes_sybase are enabled (case 3);

<?php
function disable_magic_quotes_gpc()
{
    if (
TRUE == function_exists('get_magic_quotes_gpc') && 1 == get_magic_quotes_gpc())
    {
       
$mqs = strtolower(ini_get('magic_quotes_sybase'));

        if (
TRUE == empty($mqs) || 'off' == $mqs)
        {
           
// we need to do stripslashes on $_GET, $_POST and $_COOKIE
       
}
        else
        {
           
// we need to do str_replace("''", "'", ...) on $_GET, $_POST, $_COOKIE
       
}
    }
   
// otherwise we do not need to do anything
}
?>

Important notes:

1) arrays need to be processed recursively;

2) both stripslashes and str_replace functions always return strings, so:

* TRUE will become a string "1",
* FALSE will become an empty string,
* integers and floats will become strings,
* NULL will become an empty string.

On the other hand you only need to process strings, so use the is_string function to check;

3) when dealing with other (than GPC) data sources, such as databases or text files, remember to play with the magic_quotes_runtime setting as well, see, what happens and write a corresponding function, i.e. disable_magic_quotes_runtime() or something.

4) VERY IMPORTANT: when testing, remember the null character. Otherwise your tests will be inconclusive and you may end up with... well, serious bugs :)
JacobRas.nl
28-Jul-2009 12:41
Hi,

Here's an function that strips not only \', but also \\' and \\\' and so on (depending on $times). $text = the text that needs to be stripped, $times = how much backslashes should be stripped.

<?php

function stripslashes_deep ($text, $times) {
   
   
$i = 0;
   
   
// loop will execute $times times.
   
while (strstr($text, '\\') && $i != $times) {
       
       
$text= stripslashes($text);
       
$i++;
       
    }
   
    return
$text;
   
}

?>

Example: $text = \\'quote\\' . <?php stripslashes_deep($text, 2); ?> will return 'quote'.
Note: <?php stripslashes_deep($text, 3); ?> will also return 'quote'.
shredder at technodrome dot com
09-May-2009 10:50
Hi,

Here are recursive addslashes / stripslashes functions.
given a string - it will simply add / strip slashes
given an array - it will recursively add / strip slashes from the array and all of it subarrays.
if the value is not a string or array - it will remain unmodified!

<?php

function add_slashes_recursive( $variable )
{
    if (
is_string( $variable ) )
        return
addslashes( $variable ) ;

    elseif (
is_array( $variable ) )
        foreach(
$variable as $i => $value )
           
$variable[ $i ] = add_slashes_recursive( $value ) ;

    return
$variable ;
}

function
strip_slashes_recursive( $variable )
{
    if (
is_string( $variable ) )
        return
stripslashes( $variable ) ;
    if (
is_array( $variable ) )
        foreach(
$variable as $i => $value )
           
$variable[ $i ] = strip_slashes_recursive( $value ) ;
   
    return
$variable ;
}

?>
dragon[dot]dionysius[at]gmail[dot]com
24-Mar-2009 04:07
I use this function in my class to stripslashes arrays including NULL-check:

<?php
   
private function stripslashes_deep($value) {
        if(
is_array($value)) {
            foreach(
$value as $k => $v) {
               
$return[$k] = $this->stripslashes_deep($v);
            }
        } elseif(isset(
$value)) {
           
$return = stripslashes($value);
        }
        return
$return;
    }
?>
Tom Worster
23-Mar-2009 03:26
A replacement that should be safe on utf-8 strings.
<?php
  preg_replace
(array('/\x5C(?!\x5C)/u', '/\x5C\x5C/u'), array('','\\'), $s);
?>
o-zone at zerozone dot it
19-Mar-2009 11:53
If you need to remove all slashes from a string, here's a quick hack:

<?php
function stripallslashes($string) {
    while(
strchr($string,'\\')) {
       
$string = stripslashes($string);
    }
}
?>

Hope it's usefull , O-Zone
techdesk100
28-Apr-2008 02:58
Function which checks if $input has correct slashes,
otherwise adds slashes. For cases when you are not sure the input is not already addslashed.

    public function addslashes_once($input){
        //These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).
        $pattern = array("\\'", "\\\"", "\\\\", "\\0");
        $replace = array("", "", "", "");
        if(preg_match("/[\\\\'\"\\0]/", str_replace($pattern, $replace, $input))){
            return addslashes($input);
        }
        else{
            return $input;
        }
    }
Aditya P Bhatt (adityabhai at gmail dot com)
28-Mar-2008 06:03
Here is simple example code which you can use as a common function in your functions file:

<?php
function stripslashes_if_gpc_magic_quotes( $string ) {
    if(
get_magic_quotes_gpc()) {
        return
stripslashes($string);
    } else {
        return
$string;
    }
}
?>
Evgeny
26-Feb-2008 03:52
extended version of stripslashes_deep. This allow to strip one also in the array_keys

    function stripslashes_deep($value) {
        if (is_array($value)) {
            if (count($value)>0) {
                $return = array_combine(array_map('stripslashes_deep', array_keys($value)),array_map('stripslashes_deep', array_values($value)));
            } else {
                $return = array_map('stripslashes_deep', $value);
            }
            return $return;
        } else {
            $return = stripslashes($value);
            return $return ;
        }
    }
tokyoahead
11-Jan-2008 05:39
I am using this here to clear data in a CMS against SQL injections and other mayhem. The flow is:

1. input into form
2. get from $_GET/$_POST
3. cleanup($data, true)
4. save to SQL
5. load from SQL
6. cleanup($data, false)
7. show in form for new edit or on the website

<?php
function cleanup($data, $write=false) {
    if (
is_array($data)) {
        foreach (
$data as $key => $value) {
           
$data[$key] = cleanup_lvl2($value, $write);
        }
    } else {
       
$data = cleanup_lvl2($data, $write);
    }
    return
$data;
}

function
cleanup_lvl2($data, $write=false) {
    if (isset(
$data)) { // preserve NULL
       
if (get_magic_quotes_gpc()) {
           
$data = stripslashes($data);
        }
        if (
$write) {
           
$data = mysql_real_escape_string($data);
        }
    }
    return
$data;
}
?>
alex dot launi at gmail dot com
21-Dec-2007 03:16
kibby: I modified the stripslashes_deep() function so that I could use it on NULL values.

function stripslashes_deep($value)
{
    if(isset($value)) {
        $value = is_array($value) ?
            array_map('stripslashes_deep', $value) :
            stripslashes($value);
    }
    return $value;
}
lukas.skowronski at gmail dot com
20-Jun-2007 11:15
If You want to delete all slashes from any table try to use my function:

function no_slashes($array)
    {
        foreach($array as $key=>$value)
            {
                if(is_array($value))
                    {
                        $value=no_slashes($value);
                        $array_temp[$key]=$value;                       
                    }
                else
                    {
                        $array_temp[$key]=stripslashes($value);
                    }
            }       
        return $array_temp;   
    }
dragonfly at networkinsight dot net
11-Mar-2007 11:22
If you are having trouble with stripslashes() corrupting binary data, try using urlencode() and urldecode() instead.
JAB Creations
06-Mar-2007 04:49
When writing to a flatfile such as an HTML page you'll notice slashes being inserted. When you write to that page it's interesting how to apply stripslashes...

I replaced this line...
<?php fwrite($file, $_POST['textarea']); ?>

With...
<?php if (get_magic_quotes_gpc()) {fwrite ($file, stripslashes($_POST['textarea']));}?>

You have to directly apply stripslashes to $_POST, $_GET, $_REQUEST, and $_COOKIE.
gregory at nutt dot ca
22-Feb-2007 02:48
Here is code I use to clean the results from a MySQL query using the stripslashes function.

I do it by passing the sql result and the sql columns to the function strip_slashes_mysql_results.  This way, my data is already clean by the time I want to use it.

    function db_query($querystring, $array, $columns)
    {
      if (!$this->connect_to_mysql())
       return 0;

     $queryresult = mysql_query($querystring, $this->link)
        or die("Invalid query: " . mysql_error());
   
      if(mysql_num_rows($queryresult))
      {
          $columns = mysql_field_names ($queryresult);
   
          if($array)
          {
              while($row = mysql_fetch_row($queryresult))
                $row_meta[] = $this->strip_slashes_mysql_results($row, $columns);
              return $row_meta;
          }
          else
          {
              while($row = mysql_fetch_object($queryresult))
                $row_meta[] = $this->strip_slashes_mysql_results($row, $columns);
              return $row_meta;
          }
      }
      else
        return 0;
    }
   
    function strip_slashes_mysql_results($result, $columns)
    {
        foreach($columns as $column)
        {
              if($this->debug)
                  printp(sprintf("strip_slashes_mysql_results: %s",strip_slashes_mysql_results));
              $result->$column = stripslashes($result->$column);
        }
        return $result;
    }
Allen
07-Feb-2007 07:41
In response to Tim's solution, it is only good for one-dimensional array.  If the variables happened to be multi-dimensional arrays, we still have to use function like 'stripslashes_deep'.
stoic
02-Jan-2007 04:31
in response to crab dot crab at gmail dot com:

$value need not be passed by reference. The 'stripped' value is returned. The passed value is not altered.
Kibby
14-May-2006 08:41
Okay, if using stripslashes_deep, it will definitely replace any NULL to "".  This will affect to coding that depends isset().  Please provide a workaround based on recent note.
hauser dot j at gmail dot com
21-Feb-2006 10:13
Don't use stripslashes if you depend on the values NULL.

Apparently stripslashes converts NULL to string(0) ""

<?php
$a
= null;
var_dump($a);

$b = stripslashes($a);
var_dump($b);
?>
Will output

NULL
string(0) ""
alf at mitose dot net
26-Oct-2005 12:09
Take care using stripslashes() if the text you want to insert in the database contain \n characters ! You'll see "n" instead of (not seeing) "\n".

It should be no problem for XML, but is still boring ...
10-Feb-2005 03:45
If you want to deal with slashes in double-byte encodings, such as shift_jis or big5, you may use this:

<?
function stripslashes2($string) {
   
$string = str_replace("\\\"", "\"", $string);
   
$string = str_replace("\\'", "'", $string);
   
$string = str_replace("\\\\", "\\", $string);
    return
$string;
}
?>
mattyblah at gmail dot com
10-Sep-2004 03:51
It should be of note that if you are stripping slashes to get rid of the slashes added by magic_quotes_gpc then it will also remove slashes from \. This may not seem that bad but if you have someone enter text such as 'testing\' with a slash at the end, this will cause an error if not corrected. It's best to strip the slashes, then add a slash to every single slash using $text = str_replace('\\', '\\\\', $text);
hash at samurai dot fm
01-Dec-2003 05:34
Might I warn readers that they should be vary careful with the use of stripslashes on Japanese text. The shift_jis character set includes a number of two-byte code charcters that contain the hex-value 0x5c (backslash) which will get stripped by this function thus garbling those characters.

What a nightmare!
 

 
credits | contact