reference/strings/functions/addslashes.xml
8cdc6621f9826d04abc3e50438c010804d7e8683
8cdc6621f9826d04abc3e50438c010804d7e8683
...
...
@@ -1,6 +1,6 @@
1
1
<?xml version="1.0" encoding="utf-8"?>
2
2
<!-- $Revision$ -->
3
-
<refentry xmlns="http://docbook.org/ns/docbook" xml:id="function.addslashes">
3
+
<refentry xml:id="function.addslashes" xmlns="http://docbook.org/ns/docbook">
4
4
<refnamediv>
5
5
<refname>addslashes</refname>
6
6
<refpurpose>Quote string with slashes</refpurpose>
...
...
@@ -10,41 +10,36 @@
10
10
&reftitle.description;
11
11
<methodsynopsis>
12
12
<type>string</type><methodname>addslashes</methodname>
13
-
<methodparam><type>string</type><parameter>str</parameter></methodparam>
13
+
<methodparam><type>string</type><parameter>string</parameter></methodparam>
14
14
</methodsynopsis>
15
15
<para>
16
-
Returns a string with backslashes before characters that need
17
-
to be quoted in database queries etc. These characters are
18
-
single quote (<literal>'</literal>), double quote
19
-
(<literal>"</literal>), backslash (<literal>\</literal>)
20
-
and NUL (the &null; byte).
16
+
Returns a string with backslashes added before characters that need to be
17
+
escaped. These characters are:
18
+
<simplelist>
19
+
<member>single quote (<literal>'</literal>)</member>
20
+
<member>double quote (<literal>"</literal>)</member>
21
+
<member>backslash (<literal>\</literal>)</member>
22
+
<member>NUL (the NUL byte)</member>
23
+
</simplelist>
21
24
</para>
22
25
<para>
23
-
An example use of <function>addslashes</function> is when you're
24
-
entering data into a database. For example, to insert the name
25
-
<literal>O'reilly</literal> into a database, you will need to escape
26
-
it. It's highly recommended to use DBMS specific escape function
27
-
(e.g. <function>mysqli_real_escape_string</function> for MySQL or
28
-
<function>pg_escape_string</function> for PostgreSQL), but
29
-
if the DBMS you're using doesn't have an escape function
30
-
and the DBMS uses <literal>\</literal> to escape special chars,
31
-
you can use this function. This would only be to get the data
32
-
into the database, the extra <literal>\</literal> will not be inserted.
33
-
Having the PHP directive <link linkend="ini.magic-quotes-sybase">
34
-
magic_quotes_sybase</link> set to <literal>on</literal> will mean
35
-
<literal>'</literal> is instead escaped with another
36
-
<literal>'</literal>.
26
+
A use case of <function>addslashes</function> is escaping the aforementioned
27
+
characters in a string that is to be evaluated by PHP:
28
+
<informalexample>
29
+
<programlisting role="php">
30
+
<![CDATA[
31
+
<?php
32
+
$str = "O'Reilly?";
33
+
eval("echo '" . addslashes($str) . "';");
34
+
?>
35
+
]]>
36
+
</programlisting>
37
+
</informalexample>
37
38
</para>
38
39
<para>
39
-
The PHP directive <link linkend="ini.magic-quotes-gpc">
40
-
magic_quotes_gpc</link> was <literal>on</literal> by default before PHP 5.4, and it
41
-
essentially ran <function>addslashes</function> on all GET, POST,
42
-
and COOKIE data. Do not use <function>addslashes</function> on
43
-
strings that have already been escaped with
44
-
<link linkend="ini.magic-quotes-gpc">magic_quotes_gpc</link> as you'll
45
-
then do double escaping. The function
46
-
<function>get_magic_quotes_gpc</function> may come in handy for
47
-
checking this.
40
+
The <function>addslashes</function> is sometimes incorrectly used to try to prevent
41
+
<link linkend="security.database.sql-injection">SQL Injection</link>. Instead,
42
+
database-specific escaping functions and/or prepared statements should be used.
48
43
</para>
49
44
</refsect1>
50
45
...
...
@@ -53,7 +48,7 @@
53
48
<para>
54
49
<variablelist>
55
50
<varlistentry>
56
-
<term><parameter>str</parameter></term>
51
+
<term><parameter>string</parameter></term>
57
52
<listitem>
58
53
<para>
59
54
The string to be escaped.
...
...
@@ -79,9 +74,9 @@
79
74
<programlisting role="php">
80
75
<![CDATA[
81
76
<?php
82
-
$str = "Is your name O'reilly?";
77
+
$str = "Is your name O'Reilly?";
83
78
84
-
// Outputs: Is your name O\'reilly?
79
+
// Outputs: Is your name O\'Reilly?
85
80
echo addslashes($str);
86
81
?>
87
82
]]>
...
...
@@ -105,7 +100,6 @@ echo addslashes($str);
105
100
</refsect1>
106
101
107
102
</refentry>
108
-
109
103
<!-- Keep this comment at the end of the file
110
104
Local variables:
111
105
mode: sgml
112
106