I have found the following to be much more appropriate code example:
<?php
$escaped = addcslashes($not_escaped, "\0..\37!@\@\177..\377");
?>
This will protect original, innocent backslashes from stripcslashes.
(PHP 4, PHP 5, PHP 7)
addcslashes — Quote string with slashes in a C style
$str
, string $charlist
)
Returns a string with backslashes before characters that are
listed in charlist
parameter.
str
The string to be escaped.
charlist
A list of characters to be escaped. If
charlist
contains characters
\n, \r etc., they are
converted in C-like style, while other non-alphanumeric characters
with ASCII codes lower than 32 and higher than 126 converted to
octal representation.
When you define a sequence of characters in the charlist argument make sure that you know what characters come between the characters that you set as the start and end of the range.
<?php
echo addcslashes('foo[ ]', 'A..z');
// output: \f\o\o\[ \]
// All upper and lower-case letters will be escaped
// ... but so will the [\]^_`
?>
<?php
echo addcslashes("zoo['.']", 'z..A');
// output: \zoo['\.']
?>
Be careful if you choose to escape characters 0, a, b, f, n, r, t and
v. They will be converted to \0, \a, \b, \f, \n, \r, \t and \v, all of
which are predefined escape sequences in C. Many of these sequences are
also defined in other C-derived languages, including PHP, meaning that
you may not get the desired result if you use the output of
addcslashes() to generate code in those languages
with these characters defined in charlist
.
Returns the escaped string.
Version | Description |
---|---|
5.2.5 | The escape sequences \v and \f were added. |
charlist
like "\0..\37", which would
escape all characters with ASCII code between 0 and 31.
Example #1 addcslashes() example
<?php
$escaped = addcslashes($not_escaped, "\0..\37!@\177..\377");
?>
I have found the following to be much more appropriate code example:
<?php
$escaped = addcslashes($not_escaped, "\0..\37!@\@\177..\377");
?>
This will protect original, innocent backslashes from stripcslashes.
If you are using addcslashes() to encode text which is to later be decoded back to it's original form, you MUST specify the backslash (\) character in charlist!
Example:
<?php
$originaltext = 'This text does NOT contain \\n a new-line!';
$encoded = addcslashes($originaltext, '\\');
$decoded = stripcslashes($encoded);
//$decoded now contains a copy of $originaltext with perfect integrity
echo $decoded; //Display the sentence with it's literal \n intact
?>
If the '\\' was not specified in addcslashes(), any literal \n (or other C-style special character) sequences in $originaltext would pass through un-encoded, but then be decoded into control characters by stripcslashes() and the data would lose it's integrity through the encode-decode transaction.
Be carefull with adding the \ to the list of encoded characters. When you add it at the last position it encodes all encoding slashes. I got a lot of \\\ by this mistake.
So always encode \ at first.
addcslashes() treats NUL as a string terminator:
assert("any" === addcslashes("any\0body", "-"));
unless you order it backslashified:
assert("any\\000body" === addcslashes("any\0body", "\0"));
(Uncertain whether this should be declared a bug or simply that addcslashes() is not binary-safe, whatever that means.)
jsAddSlashes for XHTML documents:
<?php
header("Content-type: text/xml");
print <<<EOF
<?xml version="1.0"?>
<html>
<head>
<script type="text/javascript">
EOF;
function jsAddSlashes($str) {
$pattern = array(
"/\\\\/" , "/\n/" , "/\r/" , "/\"/" ,
"/\'/" , "/&/" , "/</" , "/>/"
);
$replace = array(
"\\\\\\\\", "\\n" , "\\r" , "\\\"" ,
"\\'" , "\\x26" , "\\x3C" , "\\x3E"
);
return preg_replace($pattern, $replace, $str);
}
$message = jsAddSlashes("\"<Hello>\",\r\n'&World'\\!");
print <<<EOF
alert("$message");
</script>
</head>
<body>
<h1>Hello, World!</h1>
</body>
</html>
EOF;
?>
<?php
function jsaddslashes($s)
{
$o="";
$l=strlen($s);
for($i=0;$i<$l;$i++)
{
$c=$s[$i];
switch($c)
{
case '<': $o.='\\x3C'; break;
case '>': $o.='\\x3E'; break;
case '\'': $o.='\\\''; break;
case '\\': $o.='\\\\'; break;
case '"': $o.='\\"'; break;
case "\n": $o.='\\n'; break;
case "\r": $o.='\\r'; break;
default:
$o.=$c;
}
}
return $o;
}
?>
<script language="javascript">
document.write("<? echo jsaddslashes('<h1 style="color:red">hello</h1>'); ?>");
</script>
output :
<script language="javascript">
document.write("\x3Ch1 style=\"color:red\"\x3Ehello\x3C/h1\x3E");
</script>