java addslashes_php addslashes()函数的使用

用户评论:

roysimke at

microsoftsfirstmailprovider dot com (18-Jun-2010

04:35)

Never use

addslashes function to escape values you are going

to send to mysql. use mysql_real_escape_string or pg_escape at

least if you are not using prepared queries yet.

keep in mind that single quote is not the only special character

that can break your sql query. and quotes are the only thing which

addslashes care.

Simon Barrett

(05-May-2010 04:46)

Heres a hassle

free function to use to check your query string and before its

handed to the db. It will add/remove slashes

according to the get_magic_quotes_gpc state

function mysql_prep($value)

{

if(get_magic_quotes_gpc()){ $value = stripslashes($value);

} else { $value = addslashes($value);

}

return $value;

} ?>

adam at NOSPAM dot awgtek dot

com (19-Oct-2009 11:16)

When checking

whether to addslashes, use get_magic_quotes_runtime(). Using

get_magic_quotes_gpc() may not be

accurate.

DarkHunterj

(25-Aug-2009 08:11)

Based on:

Danijel Pticar

05-Aug-2009 05:22

I recommend this extended version, to replace addslashes

altogether(works for both strings and arrays):

{

if(is_array($arr_r))

{

foreach ($arr_r as

&$val) is_array($val) ? addslashesextended($val):$val=addslashes($val);

unset($val);

}

else $arr_r=addslashes($arr_r);

}?>

Danijel Pticar

(06-Aug-2009 01:22)

Hi,

I use this recursive function for POST. It handles multidimensional

arrays.

function as_array(&$arr_r)

{

foreach ($arr_r as

&$val) is_array($val) ? as_array($val):$val=addslashes($val);

unset($val);

} as_array($_POST); ?>

leocullen at fastmail dot

fm (07-Feb-2009 05:06)

this is my

version of an addslashes function, useful for processing $_POST

array:

function add_slashes ($an_array) {

foreach ($an_array as

$key => $value) {

$new_array[$key] = addslashes($an_array[$key]);

}

} ?>

then call it:

add_slashes($_POST); ?>

stuart at horuskol dot co dot

uk (11-Dec-2008 06:44)

Be careful on

whether you use double or single quotes when creating the string to

be escaped:

$test = 'This is one line\r\nand this is another\r\nand this line

has\ta tab';

echo $test;

echo "\r\n\r\n";

echo addslashes($test);

$test = "This is one line\r\nand this is another\r\nand this line

has\ta tab";

echo $test;

echo "\r\n\r\n";

echo addslashes($test);

Taslim Sohel (sohel62 at yahoo dot

com) (08-Dec-2008 02:09)

About Raymond and

Aditya's post

Following code can help you to add slashes with posted array.

I just added a recursive function with Aditya's code.

variables$input_arr

= array();//grabs the $_POST variables and adds

slashesforeach

($_POST as $key => $input_arr) {

if(is_array($input_arr)){ $_POST[$key] = addslashes_array($input_arr);

}else{ $_POST[$key] = addslashes($input_arr);

}

}// Recursive Function to add

slashes with posted array.function addslashes_array($input_arr){

if(is_array($input_arr)){ $tmp = array();

foreach ($input_arr as

$key1 => $val){ $tmp[$key1] = addslashes_array($val);

}

return $tmp;

}else{

return addslashes($input_arr);

}

}?>

Raymond Hofman

(25-Jun-2008 03:14)

In addition to

the post made by Aditya P Bhatt below. This code works fine for

posting a single string but does not work for posting

arrays.

Aditya P Bhatt (adityabhai at gmail

dot com) (28-Mar-2008 01:59)

Automagically add

slashes to $_POST variables. It helps to prevent some sql injection

attacks. Also works with $_GET variables.

FILE NAME: input_cl.php

variables$input_arr

= array();//grabs the $_POST variables and adds

slashesforeach

($_POST as $key => $input_arr) {

$_POST[$key] = addslashes($input_arr);

}?>

Just put this at the top of your script that gets the variables.

Here is an example.

Usage Example

variables have slashes added to them$f_name =

$_POST["f_name"];$l_name

= $_POST["l_name"];$phone_num

= $_POST["phone_num"];$address1

= $_POST["address1"];$address2

= $_POST["address2"];$city

= $_POST["city"];$State

= $_POST["State"];$zip

= $_POST["zip"];//sql insert code goes

here.?>

Edwin at NOSPAM dot example dot

com (22-Jan-2008 11:11)

In the note below

of Adrian C (3-3-2007) checkaddslashes will not behave well with

strings starting with a single quote (because of the non-typed

comparison) or with strings having a mix of escaped and non-escaped

single quotes.

Although addslashes also escapes double quotes, this

function worked for single quotes fine.

$str2 =

str_replace("\'", "*****", $str);

if(strpos($str2,"'")!== false)

return str_replace('*****', "\'", addslashes($str2));

else

return $str;

}?>

Nate from RuggFamily.com

(25-May-2007 10:19)

If you want to

add slashes to special symbols that would interfere with a regular

expression_r(i.e., . \ + * ? [ ^ ] $ ( ) { } = ! <

> | :), you should use the preg_quote()

function.

yoder2 at purdue dot edu

(28-Apr-2007 03:23)

to quote

boris-pieper AT t-online DOT de, 15-Jan-2005 06:07,

Note: You should use mysql_real_escape_string() (http://php.net/mysql_real_escape_string) if possible

(PHP => 4.3.0) instead of

mysql_escape_string().

You may also want to us it instead of addslashes.

sam dot fullman at verizon

(21-Mar-2007 06:37)

There are other

functions "kind of" like this one but this should help adding

slashes to a form post which also contains arrays (and you can't

access runtime quotes), or you need to add slashes to an array

which is already stripped:

function addslashes_array($a){

if(is_array($a)){

foreach($a as $n=>$v){

$b[$n]=addslashes_array($v);

}

return $b;

}else{

return addslashes($a);

}

}?>

note this does not add slashes to the keys - you could easily

modify to do this..

Adrian C (03-Mar-2007

10:06)

What happends

when you add addslashes(addslashes($str))? This is not a good thing

and it may be fixed:

function checkaddslashes($str){ if(strpos(str_replace("\'",""," $str"),"'")!=false)

return addslashes($str);

else

return $str;

}

checkaddslashes("aa'bb"); =>

aa\'bb

checkaddslashes("aa\'bb"); => aa\'bb

checkaddslashes("\'"); => \'

checkaddslashes("'"); => \'

Hope this will help you

pulstar at ig dot com dot

br (11-Sep-2006 10:50)

May it is better

use the function mysql_real_escape_string instead of addslashes when

inserting data into a MySQL database. Check it at:

http://www.php.net/manual/en/function.mysql-real-escape-string.php

joechrz at gmail dot com

(20-Aug-2006 08:36)

Here's an example

of a function that prevents double-quoting, I'm surprised noone has

put something like this up yet... (also works on arrays)

if

(!is_array($receive)) $thearray =

array($receive);

else $thearray =

$receive;

foreach

(array_keys($thearray) as

$string) { $thearray[$string] = addslashes($thearray[$string]); $thearray[$string] = preg_replace("/[\\/]+/","/",$thearray[$string]);

}

if

(!is_array($receive))

return $thearray[0];

else

return $thearray;

}?>

Picky (25-May-2006

03:55)

This function is

deprecated in PHP 4.0, according to this article:

http://www.newsforge.com/article.pl?sid=06/05/23/2141246

Also, it is worth mentioning that PostgreSQL will soon start to

block queries involving escaped single quotes using \ as the escape

character, for some cases, which depends on the string's

encoding. The standard way to escape quotes in

SQL (not all SQL databases, mind you) is by changing single quotes

into two single quotes (e.g, ' ' ' becomes ' '' ' for

queries).

You should look into other ways for escaping strings, such as

"mysql_real_escape_string" (see the comment below), and other such

database specific escape functions.

luciano at vittoretti dot com dot

br (31-Oct-2005 07:18)

Note, this

function wont work with mssql or access queries.

Use the function above (work with arrays too).

function addslashes_mssql($str){

if

(is_array($str)) {

foreach($str AS $id

=> $value) {

$str[$id] = addslashes_mssql($value);

}

} else

{

$str = str_replace("'", "''",

$str); }

return

$str;

}

function stripslashes_mssql($str){

if

(is_array($str)) {

foreach($str AS $id

=> $value) {

$str[$id] =

stripslashes_mssql($value);

}

} else

{

$str = str_replace("''", "'",

$str); }

return

$str;

}

thisisroot at gmail dot com

(27-Sep-2005 12:30)

In response to

Krasimir Slavov and Luiz Miguel Axcar:

There are several encoding schemes for inserting binary data into

places it doesn't typically belong, such as databases and e-mail

bodies. Check out the base64_encode() and convert_uuencode()

functions for the details.

Krasimir Slavov kkslavov at yahoo dot

com (17-Sep-2005 02:51)

If you have

problems with adding images or other binady data with addslashes() for

php 4.3 >= use:

$search = array("\x00", "\x0a", "\x0d", "\x1a", "\x09");$replace

= array('\0', '\n', '\r', '\Z' , '\t');$chrData .= str_replace($search, $replace,

$Data );?>

and put in your SQL field='$chrData' ! please remark

quotes

Luiz Miguel Axcar (lmaxcar at yahoo

dot com dot br) (01-Sep-2005 09:16)

Hello,

If you are getting trouble to SGDB write/read HTML data, try to use

this:

manual pagefunction

unhtmlentities ($string) { $trans_tbl =get_html_translation_table (HTML_ENTITIES

); $trans_tbl =array_flip

($trans_tbl );

return strtr ($string ,$trans_tbl );

}//read from

db$content = stripslashes

(htmlspecialchars ($field['content']));//write to

db$content = unhtmlentities

(addslashes (trim ($_POST['content'])));//make sure result of function

get_magic_quotes_gpc () == 0, you can get strange slashes in your

content adding slashes twice

//better to do this using addslashes$content = (!

get_magic_quotes_gpc ()) ? addslashes ($content) : $content;?>

unsafed (01-May-2005

11:23)

addslashes does

NOT make your input safe for use in a database query! It only

escapes according to what PHP defines, not what your database

driver defines. Any use of this function to escape strings for use

in a database is likely an error - mysql_real_escape_string,

pg_escape_string, etc, should be used depending on your underlying

database as each database has different escaping requirements. In

particular, MySQL wants \n, \r and \x1a escaped which addslashes does

NOT do. Therefore relying on addslashes is

not a good idea at all and may make your code vulnerable to

security risks. I really don't see what this function is supposed

to do.

gv (07-Nov-2004

09:23)

Regarding the

previous note using addslashes/stripslahes with regular expressions

and databases it looks as if the purpose of these functions gets

mixed.

addslahes encodes data to be sent to a database or something

similar. Here you need addslashes because you send commands to the

database as command strings that contain data and thus you have to

escape characters that are special in the command language like

SQL.

Therefore the use of addslahses on a regex does properly store the

regex in the database.

stripslashes does the opposite: it decodes an addslashes

encoded string. However, retrieving data from a database works

differently: it does not go through some string interpretation

because you actually retrieve your binary data in your variables.

In other words: the data stored in your variable is the unmodified

binary data that your database returned. You do not run stripslahes

on data returned from a database. That way, the regexs are

retrieved correctly, too.

This is different from other data exchange like urlencoded strings

that you exchange with your browser. Here the data channel uses the

same encodings in both directions: therefore you have to encode

data to be sent and you have to decode data

received.

percy at rotteveel dot ca

(19-Oct-2004 11:08)

Be very careful

when using addslashes and stripslashes in combination with

regular expression that will be stored in a MySQL database.

Especially when the regular expression contain escape

characters!

To store a regular expression with escape characters in a MySQL

database you use addslashes. For example:

$l_reg_exp = addslashes( [\x00-\x1F] );

After this the variable $l_reg_exp will contain:

[\\x00-\\x1F].

When you store this regular expression in a MySQL database, the

regular expression in the database becomes [\x00-\x1F].

When you retrieve the regular expression from the MySQL database

and apply the PHP function stripslashes(), the single backslashes

will be gone!

The regular expression will become [x00-x1F] and your regular

expression might not work!

mark at hagers dot demon dot

nl (27-Sep-2004 06:34)

I was stumped for

a long time by the fact that even when using addslashes and

stripslashes explicitly on the field values double quotes (") still

didn't seem to show up in strings read from a database. Until I

looked at the source, and realised that the field value is just

truncated at the first occurrence of a double quote. the remainder

of the string is there (in the source), but is ignored when the

form is displayed and submitted.

This can easily be solved by replacing double quotes with

""" when building the form. like this:

$fld_value = str_replace ( """,

""", $src_string ) ;

The reverse replacement after the form submission is not

necessary.

hazy underscore fakie at ringwraith

dot org (13-Jul-2003 02:23)

Note that when

using addslashes() on a string that includes cyrillic

characters, addslashes() totally mixes up the string,

rendering it unusable.

phil at internetprojectmanagers dot

com (10-Apr-2003 09:46)

re: problem with

mcrypt, addslashes and mysql

Here is my solution to the problem of characters from mcrypt

creating issues with mysql calls (due to characters which aren't

cleaned up by addslashes).

Solution: simply convert your encryption string to hex, then back

to binary when you are ready to decrypt.

// ie. $encrypted =

addslashes($string);

$encrypted = bin2hex($encrypted); // ... then:

$decrypted = hex2bin($encrypted);

$decrypted = stripslashes($decrypted); // where hex2bin()

is: function hex2bin($hexdata) { $bindata="";

for ($i=0;$i

$bindata.=chr(hexdec(substr($hexdata,$i,2)));

}

return $bindata;

} ?>

One word of caution: this will increase the length of your initial

data string, so you will need to increase the field length for your

mysql database.

Cheers, Phil

PS. I knew that I'd eventually be able to give something back to

the site!

phil at internetprojectmanagers dot

com (10-Apr-2003 07:47)

re: encryption,

addslashes and mysql

Note that mcrypt encryption may add in an apostrophe from the ascii

table which cannot be protected by addslashes. It

may not even be on your keyboard.

Because encryption strings are random, you may not discover it

unless you test (or stumble?) on the correct sequence which inserts

an apostrophe in the encrypted string.

This means that testing is even more important where encryption is

concerned. If I create a solution I'll post it here.

Phil

steve at teamITS dot com

(18-Jan-2003 09:53)

For thelogrus, my

testing shows the opposite--that a slashed string is stored

correctly by MySQL. Consider

insert into test (field1) values ('test\'test')

...which is stored as "test'test". If you were

posting "Sir'Weaser" from a form to your script and have

magic_quotes_gpc on, then the string is slashed already so if you

run addslashes() again you will be entering

"Sir\\'Weaser" into MySQL. In that case

"Sir\'Weaser" would be the correct output.

In summary, addslashes() is not necessary if magic_quotes_gpc

is on.

mike at gyrate dot org

(13-Jan-2003 06:05)

[Editor's note:

See also the php.ini configuration magic_quotes_sybase at the URL

http://www.php.net/manual/en/ref.sybase.php]

please note that addslashes will NOT work with mssql, since mssql

does not use the backslash character as an escape

mechanism. just double your quotes

instead. or use this:

function mssql_addslashes($data) {

$data =

str_replace("'", "''", $data);

return $data;

} ?>

hoskerr at nukote dot com

(13-Nov-2002 07:16)

Beware of using

addslashes() on input to the serialize()

function. serialize() stores

strings with their length; the length must match the stored string

or unserialize() will fail. Such a mismatch can occur if you serialize the result of

addslashes() and store it in a database; some

databases (definitely including PostgreSQL) automagically strip

backslashes from "special" chars in SELECT results, causing the

returned string to be shorter than it was when it was

serialized.

In other words, do this...

$string="O'Reilly";

$ser=serialize($string); # safe -- won't

count the slash $result=addslashes($ser); ?>

...and not this...

$string="O'Reilly";

$add=addslashes($string);

# RISKY! -- will count the

slash $result=serialize($add); ?>

In both cases, a backslash will be added after the apostrophe in

"O'Reilly"; only in the second case will the backslash be included

in the string length as recorded by serialize().

[Note to the maintainers: You may, at your option, want to link

this note to serialize() as well as to addslashes(). I'll refrain from

doing such cross-posting myself...]

php at slamb dot org

(31-Oct-2002 02:48)

spamdunk at home

dot com, your way is dangerous on PostgreSQL (and presumably

MySQL). You're quite correct that ANSI SQL specifies using ' to

escape, but those databases also support \ for escaping (in

violation of the standard, I think). Which means that if they pass

in a string that includes a "\'", you expand it to "\'''" (an

escaped quote followed by a non-escaped quote. WRONG! Attackers can

execute arbitrary SQL to drop your tables, make themselves

administrators, whatever they want.)

The best way to be safe and correct is to:

- don't use magic quotes; this approach is bad. For starters,

that's making the assumption that you will be using your input in a

database query, which is arbitrary. (Why not escape all

"

Cross-site scripting attacks are quite common as well.) It's better

to set up a way that does whatever escaping is correct for you when

you use it, as below:

- when inserting into the database, use prepared statements with

placeholders. For example, when using PEAR DB:

$stmt

= $dbh->prepare('update mb_users set password = ? where username =

?');

$dbh->execute($stmt,

array('12345', 'bob')); ?>

Notice that there are no quotes around the ?s. It handles that for

you automatically. It's guaranteed to be safe for your database.

(Just ' on oracle, \ and ' on PostgreSQL, but you don't even have

to think about it.)

Plus, if the database supports prepared statements (the

soon-to-be-released PostgreSQL 7.3, Oracle, etc), several executes

on the same prepare can be faster, since it can reuse the same

query plan. If it doesn't (MySQL, etc), this way falls back to

quoting code that's specifically written for your database,

avoiding the problem I mentioned above.

(Pardon my syntax if it's off. I'm not really a PHP programmer;

this is something I know from similar things in Java, Perl, PL/SQL,

Python, Visual Basic, etc.)

guy_AT_datalink_DOT_net_DOT_au

(30-Mar-2002 05:58)

If you're trying

to escape quotes in a javascript event as such:

OnMouseOver="alert(' print $myString

?>')">

It helps to perform this first:

$myString = str_replace("'", "\'", $myString);

$myString = str_replace('"', "'+String.fromCharCode(34)+'",

$myString);

hybrid at n0spam dot pearlmagik dot

com (09-May-2001 01:46)

Remember to slash

underscores (_) and percent signs (%), too, if you're going use the

LIKE operator on the variable or you'll get some unexpected

results.

php at NO_SPAMj-w3 dot com

(03-Apr-2001 06:18)

As mentioned,

magic_quotes_gpc automatically adds slashes to POST and GET data

and these slashes don't go in the database. BUT,

be careful of this. If you have a form with an error check, make

sure you strip the slashes if your form remembers the OK fields, so

the user doesn't view these automagically added

slashes.