PHP String Quoting/Unquoting Functions
PHP have several functions for Quoting and Unquoting the string. These functions are used while we want to insert the data or fetching the data from the database. This will work against the SQL Injection. Please note that these functions will not remove the SQL Injection attack, there are several other GOOD methods available to remove the SQL Injection Like PDO.
Function for Quoting the PHP String
1) addcslashes()
2) addslashes()
3) mysql_real_escape_string()
Function for UnQuoting the PHP String
1) stripcslashes()
2) stripslashes()
Lets get into each one by one
1) addcslashes()
Quote string with slashes in C style. This function takes two arguments.
string (required)
This parameter defines the string which needs to be quoted.
charlist (required)
This parameter defines the list of characters to be escaped.
Usage
<?php echo addcslashes('abcs','A..z'); # Output : \a\b\c\s # A..z defines the all Uppercase and Lowercase latters to be escaped. ?>
2) addslashes()
This function will quote a string with slashes. Generally this functions will add backslashes to the character which need to be quoted for use in database queries, etc.
Exaple character are single quote (‘), Double Quote (“), etc.
This function takes only parameter which is string to be quoted.
string (required)
This parameter defines the string which needs to be escaped.
Usage :
<?php echo addslashes("It's taking too much time."); // Output : It\'s taking too much time. ?>
3) mysql_real_escape_string()
This function escape the special characters in string for use in the SQL statement.
This function takes two parameter.
Note : It is recommended to use the database specific escape functions, Like for MySQL it should be
mysql_real_escape_string()and for MySQLi it should bemysqli_real_escape_string().
string (required)
This is the string which needs to be escaped for use in SQL statement.
link identifier (optional)
This is the MYSQL link identifier.
Note: If this is not specified then this functions will search for the last database connection opened by
mysql_connect()function. If no one open connection found then it will try to connect withmysql_connect()with blank arguments. It will generate a E_WARNING level error when no connection found with blank parameter.
Usage :
<?php echo mysql_real_escape_string("this s'houl'd be Quot'ed") ?>
4) stripcslashes()
This function is used to Un-Quote the string Quoted by the addcslashes().
This function takes only one parameter which is string need to be Un-Quoted.
Usage:
<?php echo stripcslashes("This is for Un\'Quo\'te"); ?>
5) stripslashes()
This function is used to Un-Quote the string Quoted by the addslashes().
This function takes only one parameter which is string need to be Un-Quoted.
Usage:
<?php echo stripslashes("This is for Un\'Quo\'te"); ?>
Better Way to Escape the String
<?php function sql_quote($value) { // Check for Magic Quote Status // It will perform stripslash if magic quotes enabled. if(get_magic_quotes_gpc()) { $value = stripslashes($value); } //check if this function exists if(function_exists("mysql_real_escape_string")) { $value = mysql_real_escape_string( $value ); } //for PHP version < 4.3.0 use addslashes else { $value = addslashes( $value ); } // Return the Quoted String return $value; } ?>
In Conclusion: These functions are useful for Quoting and Un-Quoting the string for various use like while inserting data in DB, Performing the Select query on database.
More From Avinash
Avinash Recommends
- PHP Coding Tips (refulzphp)
- Data encryption and hashing in PHP (refulzphp)
