...

...

@@ -1,6 +1,6 @@

1

1

<?xml version="1.0" encoding="utf-8"?>

2

2

<!-- $Revision$ -->

3

-

<refentry xmlns="http://docbook.org/ns/docbook" xml:id="function.addslashes">

3

+

<refentry xml:id="function.addslashes" xmlns="http://docbook.org/ns/docbook">

4

4

<refnamediv>

5

5

<refname>addslashes</refname>

6

6

<refpurpose>Quote string with slashes</refpurpose>

...

...

@@ -10,51 +10,36 @@

10

10

&reftitle.description;

11

11

<methodsynopsis>

12

12

<type>string</type><methodname>addslashes</methodname>

13

-

<methodparam><type>string</type><parameter>str</parameter></methodparam>

13

+

<methodparam><type>string</type><parameter>string</parameter></methodparam>

14

14

</methodsynopsis>

15

15

<para>

16

-

Returns a string with backslashes before characters that need to be

17

-

escaped. These characters are single quote (<literal>'</literal>),

18

-

double quote (<literal>"</literal>), backslash

19

-

(<literal>\</literal>) and NUL (the &null; byte).

20

-

</para>

21

-

<para>

22

-

An example use of <function>addslashes</function> is when you're

23

-

entering data into string that is evaluated by PHP. For example,

24

-

<literal>O'Reilly</literal> is stored in $str, you need to escape

25

-

$str. (e.g. eval("echo '".addslashes($str)."';"); )

26

-

</para>

27

-

<para>

28

-

To escape database parameters, DBMS specific escape function

29

-

(e.g. <function>mysqli_real_escape_string</function> for MySQL or

30

-

<function>pg_escape_literal</function>, <function>pg_escape_string</function>

31

-

for PostgreSQL) should be used for security reasons. DBMSes have

32

-

differect escape specification for identifiers (e.g. Table name,

33

-

field name) than parameters. Some DBMS such as PostgreSQL provides

34

-

identifier escape

35

-

function, <function>pg_escape_identifier</function>, but not all

36

-

DBMS provides identifier escape API. If this is the case, refer to

37

-

your database system manual for proper escaping method.

16

+

Returns a string with backslashes added before characters that need to be

17

+

escaped. These characters are:

18

+

<simplelist>

19

+

<member>single quote (<literal>'</literal>)</member>

20

+

<member>double quote (<literal>"</literal>)</member>

21

+

<member>backslash (<literal>\</literal>)</member>

22

+

<member>NUL (the NUL byte)</member>

23

+

</simplelist>

38

24

</para>

39

25

<para>

40

-

If your DBMS doesn't have an escape function and the DBMS

41

-

uses <literal>\</literal> to escape special chars, you might be

42

-

able to use this function only when this escape method is adequate for

43

-

your database. Please note that use

44

-

of <function>addslashes</function> for database parameter escaping

45

-

can be cause of security issues on most databases.

26

+

A use case of <function>addslashes</function> is escaping the aforementioned

27

+

characters in a string that is to be evaluated by PHP:

28

+

<informalexample>

29

+

<programlisting role="php">

30

+

<![CDATA[

31

+

<?php

32

+

$str = "O'Reilly?";

33

+

eval("echo '" . addslashes($str) . "';");

34

+

?>

35

+

]]>

36

+

</programlisting>

37

+

</informalexample>

46

38

</para>

47

39

<para>

48

-

The PHP directive <link linkend="ini.magic-quotes-gpc">

49

-

magic_quotes_gpc</link> was <literal>on</literal> by default before

50

-

PHP 5.4, and it essentially ran <function>addslashes</function> on

51

-

all GET, POST, and COOKIE data. Do not

52

-

use <function>addslashes</function> on strings that have already

53

-

been escaped with

54

-

<link linkend="ini.magic-quotes-gpc">magic_quotes_gpc</link> as you'll

55

-

then do double escaping. The function

56

-

<function>get_magic_quotes_gpc</function> may come in handy for

57

-

checking this.

40

+

The <function>addslashes</function> is sometimes incorrectly used to try to prevent

41

+

<link linkend="security.database.sql-injection">SQL Injection</link>. Instead,

42

+

database-specific escaping functions and/or prepared statements should be used.

58

43

</para>

59

44

</refsect1>

60

45

...

...

@@ -63,7 +48,7 @@

63

48

<para>

64

49

<variablelist>

65

50

<varlistentry>

66

-

<term><parameter>str</parameter></term>

51

+

<term><parameter>string</parameter></term>

67

52

<listitem>

68

53

<para>

69

54

The string to be escaped.

...

...

@@ -115,7 +100,6 @@ echo addslashes($str);

115

100

</refsect1>

116

101

117

102

</refentry>

118

-

119

103

<!-- Keep this comment at the end of the file

120

104

Local variables:

121

105

mode: sgml

122

106