stripos
The goal is to leave the input untouched in PHP 5.2.8. Let's have this sample text given in $_POST['example']:
a backslash ( \ ), a single-quote ( ' ), a double-quote ( " ) and a null character ( \0 )
Let's have two simple scripts:
Script A:
<?php echo $_POST['example']; ?>
Script B:
<?php echo stripslashes($_POST['example']); ?>
Let's have four different configurations and corresponding output:
Case #1:
* magic_quotes_gpc = Off
* magic_quotes_sybase = Off
A: a backslash ( \ ), a single-quote ( ' ), a double-quote ( " ) and a null character ( \0 )
B: a backslash ( ), a single-quote ( ' ), a double-quote ( " ) and a null character ( � )
Case #2
* magic_quotes_gpc = On
* magic_quotes_sybase = Off
A: a backslash ( \\ ), a single-quote ( \' ), a double-quote ( \" ) and a null character ( \\0 )
B: a backslash ( \ ), a single-quote ( ' ), a double-quote ( " ) and a null character ( \0 )
Case #3
* magic_quotes_gpc = On
* magic_quotes_sybase = On
A: a backslash ( \ ), a single-quote ( '' ), a double-quote ( " ) and a null character ( \0 )
B: a backslash ( \ ), a single-quote ( ' ), a double-quote ( " ) and a null character ( � )
Case #4
* magic_quotes_gpc = Off
* magic_quotes_sybase = On
A: a backslash ( \ ), a single-quote ( ' ), a double-quote ( " ) and a null character ( \0 )
B: a backslash ( ), a single-quote ( ' ), a double-quote ( " ) and a null character ( � )
Conclusions:
1) we do not need to do anything, if the magic_quotes_gpc is disabled (cases 1 and 4);
2) stripslashes($_POST['example']) only works, if the magic_quotes_gpc is enabled, but the magic_quotes_sybase is disabled (case 2);
3) str_replace("''", "'", $_POST['example']) will do the trick if both the magic_quotes_gpc and the magic_quotes_sybase are enabled (case 3);
<?php
function disable_magic_quotes_gpc()
{
if (TRUE == function_exists('get_magic_quotes_gpc') && 1 == get_magic_quotes_gpc())
{
$mqs = strtolower(ini_get('magic_quotes_sybase'));
if (TRUE == empty($mqs) || 'off' == $mqs)
{
// we need to do stripslashes on $_GET, $_POST and $_COOKIE
}
else
{
// we need to do str_replace("''", "'", ...) on $_GET, $_POST, $_COOKIE
}
}
// otherwise we do not need to do anything
}
?>
Important notes:
1) arrays need to be processed recursively;
2) both stripslashes and str_replace functions always return strings, so:
* TRUE will become a string "1",
* FALSE will become an empty string,
* integers and floats will become strings,
* NULL will become an empty string.
On the other hand you only need to process strings, so use the is_string function to check;
3) when dealing with other (than GPC) data sources, such as databases or text files, remember to play with the magic_quotes_runtime setting as well, see, what happens and write a corresponding function, i.e. disable_magic_quotes_runtime() or something.
4) VERY IMPORTANT: when testing, remember the null character. Otherwise your tests will be inconclusive and you may end up with... well, serious bugs :)
stripslashes
(PHP 4, PHP 5)
stripslashes — Supprime les antislashs d'une chaîne
Description
string stripslashes
( string $str
)
Supprime les antislashs d'une chaîne.
Note: Si magic_quotes_sybase est activée, aucun antislash n'est supprimé, mais deux apostrophes sont remplacées par une seule à la place.
Un exemple d'utilisation de stripslashes() est lorsque la directive PHP magic_quotes_gpc est à on (valeur par défaut) et que vous insérez des données dans une base de données qui requiert la protection des valeurs. Par exemple, si vous affichez simplement et directement des données provenant d'un formulaire HTML.
Liste de paramètres
- str
-
La chaîne d'entrée.
Valeurs de retour
Retourne une chaîne dont les antislashs on été supprimés. \' devient ', etc. Les doubles antislashs (\\) sont réduits à un seul antislash (\).
Exemples
Exemple #1 Exemple avec stripslashes()
<?php
$str = "Avez-vous l\'oreille dure?";
// Affiche : Avez-vous l'oreille dure?
echo stripslashes($str);
?>
Note: stripslashes() n'est pas récursif. Si vous voulez appliquer cette fonction à un tableau multidimensionnel, vous devez utiliser une fonction récursive.
Exemple #2 Utilisation de stripslashes() sur un tableau
<?php
function stripslashes_deep($value)
{
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
return $value;
}
// Exemple
$array = array("f\\'oo", "b\\'ar", array("fo\\'o", "b\\'ar"));
$array = stripslashes_deep($array);
// Affiche
print_r($array);
?>
L'exemple ci-dessus va afficher :
Array
(
[0] => f'oo
[1] => b'ar
[2] => Array
(
[0] => fo'o
[1] => b'ar
)
)
Voir aussi
- addslashes() - Ajoute des antislashs dans une chaîne
- get_magic_quotes_gpc() - Retourne la configuration actuelle de l'option magic_quotes_gpc
add a note
User Contributed Notesstripslashes
michal at roszka dot pl
01-Sep-2009 03:00
01-Sep-2009 03:00
JacobRas.nl
28-Jul-2009 12:41
28-Jul-2009 12:41
Hi,
Here's an function that strips not only \', but also \\' and \\\' and so on (depending on $times). $text = the text that needs to be stripped, $times = how much backslashes should be stripped.
<?php
function stripslashes_deep ($text, $times) {
$i = 0;
// loop will execute $times times.
while (strstr($text, '\\') && $i != $times) {
$text= stripslashes($text);
$i++;
}
return $text;
}
?>
Example: $text = \\'quote\\' . <?php stripslashes_deep($text, 2); ?> will return 'quote'.
Note: <?php stripslashes_deep($text, 3); ?> will also return 'quote'.
shredder at technodrome dot com
09-May-2009 10:50
09-May-2009 10:50
Hi,
Here are recursive addslashes / stripslashes functions.
given a string - it will simply add / strip slashes
given an array - it will recursively add / strip slashes from the array and all of it subarrays.
if the value is not a string or array - it will remain unmodified!
<?php
function add_slashes_recursive( $variable )
{
if ( is_string( $variable ) )
return addslashes( $variable ) ;
elseif ( is_array( $variable ) )
foreach( $variable as $i => $value )
$variable[ $i ] = add_slashes_recursive( $value ) ;
return $variable ;
}
function strip_slashes_recursive( $variable )
{
if ( is_string( $variable ) )
return stripslashes( $variable ) ;
if ( is_array( $variable ) )
foreach( $variable as $i => $value )
$variable[ $i ] = strip_slashes_recursive( $value ) ;
return $variable ;
}
?>
dragon[dot]dionysius[at]gmail[dot]com
24-Mar-2009 04:07
24-Mar-2009 04:07
I use this function in my class to stripslashes arrays including NULL-check:
<?php
private function stripslashes_deep($value) {
if(is_array($value)) {
foreach($value as $k => $v) {
$return[$k] = $this->stripslashes_deep($v);
}
} elseif(isset($value)) {
$return = stripslashes($value);
}
return $return;
}
?>
Tom Worster
23-Mar-2009 03:26
23-Mar-2009 03:26
A replacement that should be safe on utf-8 strings.
<?php
preg_replace(array('/\x5C(?!\x5C)/u', '/\x5C\x5C/u'), array('','\\'), $s);
?>
o-zone at zerozone dot it
19-Mar-2009 11:53
19-Mar-2009 11:53
If you need to remove all slashes from a string, here's a quick hack:
<?php
function stripallslashes($string) {
while(strchr($string,'\\')) {
$string = stripslashes($string);
}
}
?>
Hope it's usefull , O-Zone
techdesk100
28-Apr-2008 02:58
28-Apr-2008 02:58
Function which checks if $input has correct slashes,
otherwise adds slashes. For cases when you are not sure the input is not already addslashed.
public function addslashes_once($input){
//These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).
$pattern = array("\\'", "\\\"", "\\\\", "\\0");
$replace = array("", "", "", "");
if(preg_match("/[\\\\'\"\\0]/", str_replace($pattern, $replace, $input))){
return addslashes($input);
}
else{
return $input;
}
}
Aditya P Bhatt (adityabhai at gmail dot com)
28-Mar-2008 06:03
28-Mar-2008 06:03
Here is simple example code which you can use as a common function in your functions file:
<?php
function stripslashes_if_gpc_magic_quotes( $string ) {
if(get_magic_quotes_gpc()) {
return stripslashes($string);
} else {
return $string;
}
}
?>
Evgeny
26-Feb-2008 03:52
26-Feb-2008 03:52
extended version of stripslashes_deep. This allow to strip one also in the array_keys
function stripslashes_deep($value) {
if (is_array($value)) {
if (count($value)>0) {
$return = array_combine(array_map('stripslashes_deep', array_keys($value)),array_map('stripslashes_deep', array_values($value)));
} else {
$return = array_map('stripslashes_deep', $value);
}
return $return;
} else {
$return = stripslashes($value);
return $return ;
}
}
tokyoahead
11-Jan-2008 05:39
11-Jan-2008 05:39
I am using this here to clear data in a CMS against SQL injections and other mayhem. The flow is:
1. input into form
2. get from $_GET/$_POST
3. cleanup($data, true)
4. save to SQL
5. load from SQL
6. cleanup($data, false)
7. show in form for new edit or on the website
<?php
function cleanup($data, $write=false) {
if (is_array($data)) {
foreach ($data as $key => $value) {
$data[$key] = cleanup_lvl2($value, $write);
}
} else {
$data = cleanup_lvl2($data, $write);
}
return $data;
}
function cleanup_lvl2($data, $write=false) {
if (isset($data)) { // preserve NULL
if (get_magic_quotes_gpc()) {
$data = stripslashes($data);
}
if ($write) {
$data = mysql_real_escape_string($data);
}
}
return $data;
}
?>
alex dot launi at gmail dot com
21-Dec-2007 03:16
21-Dec-2007 03:16
kibby: I modified the stripslashes_deep() function so that I could use it on NULL values.
function stripslashes_deep($value)
{
if(isset($value)) {
$value = is_array($value) ?
array_map('stripslashes_deep', $value) :
stripslashes($value);
}
return $value;
}
lukas.skowronski at gmail dot com
20-Jun-2007 11:15
20-Jun-2007 11:15
If You want to delete all slashes from any table try to use my function:
function no_slashes($array)
{
foreach($array as $key=>$value)
{
if(is_array($value))
{
$value=no_slashes($value);
$array_temp[$key]=$value;
}
else
{
$array_temp[$key]=stripslashes($value);
}
}
return $array_temp;
}
dragonfly at networkinsight dot net
11-Mar-2007 11:22
11-Mar-2007 11:22
If you are having trouble with stripslashes() corrupting binary data, try using urlencode() and urldecode() instead.
JAB Creations
06-Mar-2007 04:49
06-Mar-2007 04:49
When writing to a flatfile such as an HTML page you'll notice slashes being inserted. When you write to that page it's interesting how to apply stripslashes...
I replaced this line...
<?php fwrite($file, $_POST['textarea']); ?>
With...
<?php if (get_magic_quotes_gpc()) {fwrite ($file, stripslashes($_POST['textarea']));}?>
You have to directly apply stripslashes to $_POST, $_GET, $_REQUEST, and $_COOKIE.
gregory at nutt dot ca
22-Feb-2007 02:48
22-Feb-2007 02:48
Here is code I use to clean the results from a MySQL query using the stripslashes function.
I do it by passing the sql result and the sql columns to the function strip_slashes_mysql_results. This way, my data is already clean by the time I want to use it.
function db_query($querystring, $array, $columns)
{
if (!$this->connect_to_mysql())
return 0;
$queryresult = mysql_query($querystring, $this->link)
or die("Invalid query: " . mysql_error());
if(mysql_num_rows($queryresult))
{
$columns = mysql_field_names ($queryresult);
if($array)
{
while($row = mysql_fetch_row($queryresult))
$row_meta[] = $this->strip_slashes_mysql_results($row, $columns);
return $row_meta;
}
else
{
while($row = mysql_fetch_object($queryresult))
$row_meta[] = $this->strip_slashes_mysql_results($row, $columns);
return $row_meta;
}
}
else
return 0;
}
function strip_slashes_mysql_results($result, $columns)
{
foreach($columns as $column)
{
if($this->debug)
printp(sprintf("strip_slashes_mysql_results: %s",strip_slashes_mysql_results));
$result->$column = stripslashes($result->$column);
}
return $result;
}
Allen
07-Feb-2007 07:41
07-Feb-2007 07:41
In response to Tim's solution, it is only good for one-dimensional array. If the variables happened to be multi-dimensional arrays, we still have to use function like 'stripslashes_deep'.
stoic
02-Jan-2007 04:31
02-Jan-2007 04:31
in response to crab dot crab at gmail dot com:
$value need not be passed by reference. The 'stripped' value is returned. The passed value is not altered.
Kibby
14-May-2006 08:41
14-May-2006 08:41
Okay, if using stripslashes_deep, it will definitely replace any NULL to "". This will affect to coding that depends isset(). Please provide a workaround based on recent note.
hauser dot j at gmail dot com
21-Feb-2006 10:13
21-Feb-2006 10:13
Don't use stripslashes if you depend on the values NULL.
Apparently stripslashes converts NULL to string(0) ""
<?php
$a = null;
var_dump($a);
$b = stripslashes($a);
var_dump($b);
?>
Will output
NULL
string(0) ""
alf at mitose dot net
26-Oct-2005 12:09
26-Oct-2005 12:09
Take care using stripslashes() if the text you want to insert in the database contain \n characters ! You'll see "n" instead of (not seeing) "\n".
It should be no problem for XML, but is still boring ...
r_loebs at hotmail dot com
25-Jun-2005 02:03
25-Jun-2005 02:03
Of course why not just do an
if($r){ stuff; } <-- this will check it all, NULL, 0, ""
10-Feb-2005 03:45
If you want to deal with slashes in double-byte encodings, such as shift_jis or big5, you may use this:
<?
function stripslashes2($string) {
$string = str_replace("\\\"", "\"", $string);
$string = str_replace("\\'", "'", $string);
$string = str_replace("\\\\", "\\", $string);
return $string;
}
?>
mattyblah at gmail dot com
10-Sep-2004 03:51
10-Sep-2004 03:51
It should be of note that if you are stripping slashes to get rid of the slashes added by magic_quotes_gpc then it will also remove slashes from \. This may not seem that bad but if you have someone enter text such as 'testing\' with a slash at the end, this will cause an error if not corrected. It's best to strip the slashes, then add a slash to every single slash using $text = str_replace('\\', '\\\\', $text);
hash at samurai dot fm
01-Dec-2003 05:34
01-Dec-2003 05:34
Might I warn readers that they should be vary careful with the use of stripslashes on Japanese text. The shift_jis character set includes a number of two-byte code charcters that contain the hex-value 0x5c (backslash) which will get stripped by this function thus garbling those characters.
What a nightmare!