PHP: addcslashes

Description

string addcslashes ( string str, string charlist )

Returns a string with backslashes before characters that are listed in charlist parameter. It escapes \n, \r etc. in C-like style, characters with ASCII code lower than 32 and higher than 126 are converted to octal representation.

Be careful if you choose to escape characters 0, a, b, f, n, r, t and v. They will be converted to \0, \a, \b, \f, \n, \r, \t and \v. In PHP \0 (NULL), \r (carriage return), \n (newline) and \t (tab) are predefined escape sequences, while in C all of these are predefined escape sequences.

charlist like "\0..\37", which would escape all characters with ASCII code between 0 and 31.
Example 1. addcslashes() example

<?php $escaped = addcslashes($not_escaped, "\0..\37!@\177..\377"); ?>

When you define a sequence of characters in the charlist argument make sure that you know what characters come between the characters that you set as the start and end of the range.


<?php

echo addcslashes('foo[ ]', 'A..z');

// output:  \f\o\o\[ \]

// All upper and lower-case letters will be escaped

// ... but so will the [\]^_` and any tabs, line

// feeds, carriage returns, etc.

?>

Also, if the first character in a range has a higher ASCII value than the second character in the range, no range will be constructed. Only the start, end and period characters will be escaped. Use the ord() function to find the ASCII value for a character.


<?php

echo addcslashes("zoo['.']", 'z..A');

// output:  \zoo['\.']

?>

User Contributed Notes
addcslashes

phpcoder at cyberpimp dot pimpdomain dot com
20-Jan-2005 02:35


Forgot to add something:

The only time you would likely use addcslashes() without specifying the backslash (\) character in charlist is when you are VALIDATING (not encoding!) a data string.



(Validation ensures that all control characters and other unsafe characters are correctly encoded / escaped, but does not alter any pre-existing escape sequences.)



You can validate a data string multiple times without fear of "double encoding".  A single decoding pass will return the original data, regardless of how many times it was validated.)

phpcoder at cyberpimp dot pimpdomain dot com
20-Jan-2005 01:02


If you are using addcslashes() to encode text which is to later be decoded back to it's original form, you MUST specify the backslash (\) character in charlist!



Example:



<?php

  $originaltext = 'This text does NOT contain \\n a new-line!';

  $encoded = addcslashes($originaltext, '\\');

  $decoded = stripcslashes($encoded);

  //$decoded now contains a copy of $originaltext with perfect integrity

  echo $decoded; //Display the sentence with it's literal \n intact

?>



If the '\\' was not specified in addcslashes(), any literal \n (or other C-style special character) sequences in $originaltext would pass through un-encoded, but then be decoded into control characters by stripcslashes() and the data would lose it's integrity through the encode-decode transaction.

ruben at intesys dot it
31-May-2004 11:51


jsAddSlashes for XHTML documents:



<?php

header("Content-type: text/xml");



print <<<EOF

<?xml version="1.0"?>

<html>

<head>

<script type="text/javascript">



EOF;



function jsAddSlashes($str) {

    $pattern = array(

        "/\\\\/"  , "/\n/"    , "/\r/"    , "/\"/"    ,

        "/\'/"    , "/&/"     , "/</"     , "/>/"

    );

    $replace = array(

        "\\\\\\\\", "\\n"     , "\\r"     , "\\\""    ,

        "\\'"     , "\\x26"   , "\\x3C"   , "\\x3E"

    );

    return preg_replace($pattern, $replace, $str);

}



$message = jsAddSlashes("\"<Hello>\",\r\n'&World'\\!");



print <<<EOF

alert("$message");

</script>

</head>

<body>

<h1>Hello, World!</h1>

</body>

</html>



EOF;

?>

21-Sep-2003 01:44


<?

function jsaddslashes($s)

{

 $o="";

 $l=strlen($s);

 for($i=0;$i<$l;$i++)

 {

  $c=$s[$i];

  switch($c)

  {

   case '<': $o.='\\x3C'; break;

   case '>': $o.='\\x3E'; break;

   case '\'': $o.='\\\''; break;

   case '\\': $o.='\\\\'; break;

   case '"':  $o.='\\"'; break;

   case "\n": $o.='\\n'; break;

   case "\r": $o.='\\r'; break;

   default:

   $o.=$c;

  }

 }

 return $o;

}



?>

<script language="javascript">

document.write("<? echo jsaddslashes('<h1 style="color:red">hello</h1>'); ?>");

</script>



output :



<script language="javascript">

document.write("\x3Ch1 style=\"color:red\"\x3Ehello\x3C/h1\x3E");

</script>

natNOSPAM at noworrie dot NO_SPAM dot com
17-May-2002 06:22


I have found the following to be much more appropriate code example:





<?php


$escaped = addcslashes($not_escaped, "\0..\37!@\@\177..\377");


?>





This will protect original, innocent backslashes from stripcslashes.