Using the PHP Function Addslashes to Escape Special Characters in String

Addslashes is a handy function that escapes special characters in string to ensure safe data transport and storage without harming the application’s intended functionality. It is particularly useful when dealing with database queries and other strings that contain a variety of special characters including single and double quote marks, backslashes, NULL and more.

Using this function in combination with other input validation and sanitization techniques can help reduce the risk of SQL injection attacks when handling user-provided data. However, it is important to understand that while addslashes is a helpful tool, it is not enough on its own to prevent all types of SQL injection vulnerabilities. More robust methods like parameterized queries should be used in conjunction with addslashes to provide a comprehensive and resilient defense against these types of attacks.

The addslashes function works by adding a backslash in front of certain characters to render them unrecognizable and safe for use. The specific characters that are escaped depend on the type of string you are working with. For example, if you are working with a string that contains double quotation mark characters, you need to escape these by adding a backslash before them as shown below.

In addition to escaping special characters, addslashes also helps to strip the encoding from binary data that is being sent or received. This is especially important when dealing with database communications as you will want to retrieve the binary data without going through additional encodings as this could cause problems down the line.

Andreas Behr - CTO of DesertCoderz
You are a developer and looking for Shopware projects?
Apply Now!

addslashes example

if ($cookie instanceof Zend_Http_Cookie) {
                $name = $cookie->getName();
                $value = $cookie->getValue();
                $cookie = $name;
            }

            if (preg_match("/[=,; \t\r\n\013\014]/", $cookie)) {
                /** @see Zend_Http_Client_Exception */
                throw new Zend_Http_Client_Exception("Cookie name cannot contain these characters: =,; \t\r\n\013\014 ({$cookie})");
            }

            $value = addslashes($value);

            if (isset($this->headers['cookie'])) {
                $this->headers['cookie'] = array('Cookie', '');
            }
            $this->headers['cookie'][1] .= $cookie . '=' . $value . '; ';
        }

        return $this;
    }

    /** * Set a file to upload (using a POST request) * * Can be used in two ways: * * 1. $data is null (default): $filename is treated as the name if a local file which * will be read and sent. Will try to guess the content type using mime_content_type(). * 2. $data is set - $filename is sent as the file name, but $data is sent as the file * contents and no file is read from the file system. In this case, you need to * manually set the Content-Type ($ctype) or it will default to * application/octet-stream. * * @param string $filename Name of file to upload, or name to save as * @param string $formname Name of form element to send as * @param string $data Data to send (if null, $filename is read and sent) * @param string $ctype Content type to use (if $data is set and $ctype is * null, will be application/octet-stream) * @return Zend_Http_Client * @throws Zend_Http_Client_Exception */

        $result = $parameter;

        switch (true) {
            // Check if result is non-unicode string using PCRE_UTF8 modifier             case \is_string($result) && !preg_match('//u', $result):
                $result = '0x' . strtoupper(bin2hex($result));

                break;

            case \is_string($result):
                $result = '\'' . addslashes($result) . '\'';

                break;

            case \is_array($result):
                foreach ($result as &$value) {
                    $value = static::escapeFunction($value);
                }

                $result = implode(', ', $result) ?: 'NULL';

                break;

            


function smarty_modifiercompiler_lower($params$compiler)
{
    if (Smarty::$_MBSTRING) {
        return 'mb_strtolower(' . $params[0] . ', \'' . addslashes(Smarty::$_CHARSET) . '\')' ;
    }
    // no MBString fallback     return 'strtolower(' . $params[0] . ')';
}

?>

    public function _weak_escape( $data ) {
        if ( func_num_args() === 1 && function_exists( '_deprecated_function' ) ) {
            _deprecated_function( __METHOD__, '3.6.0', 'wpdb::prepare() or esc_sql()' );
        }
        return addslashes( $data );
    }

    /** * Real escape, using mysqli_real_escape_string() or mysql_real_escape_string(). * * @since 2.8.0 * * @see mysqli_real_escape_string() * @see mysql_real_escape_string() * * @param string $data String to escape. * @return string Escaped string. */

function add_magic_quotes( $input_array ) {
    foreach ( (array) $input_array as $k => $v ) {
        if ( is_array( $v ) ) {
            $input_array[ $k ] = add_magic_quotes( $v );
        } elseif ( is_string( $v ) ) {
            $input_array[ $k ] = addslashes( $v );
        } else {
            continue;
        }
    }

    return $input_array;
}

/** * HTTP request for URI to retrieve content. * * @since 1.5.1 * * @see wp_safe_remote_get() * * @param string $uri URI/URL of web page to retrieve. * @return string|false HTTP content. False on failure. */

    public function createTemplateCodeFrame($content = '', $cache = false)
    {
        $plugins_string = '';
        // include code for plugins         if (!$cache) {
            if (!empty($this->required_plugins['compiled'])) {
                $plugins_string = '<?php ';
                foreach ($this->required_plugins['compiled'] as $tmp) {
                    foreach ($tmp as $data) {
                        $file = addslashes($data['file']);
                        if (is_Array($data['function'])){
                            $plugins_string .= "if (!is_callable(array('{$data['function'][0]}','{$data['function'][1]}'))) include '{$file}';\n";
                        } else {
                            $plugins_string .= "if (!is_callable('{$data['function']}')) include '{$file}';\n";
                        }
                    }
                }
                $plugins_string .= '?>';
            }
            if (!empty($this->required_plugins['nocache'])) {
                $this->has_nocache_code = true;
                


    public static function getExtjsType(): string
    {
        return 'string';
    }

    public static function getExtjsOptions(Field $field): array
    {
        return [
            // This needs to be slashes to not break in JSON             'model' => addslashes(static::$model),
            'valueField' => static::$valueField,
            'displayField' => static::$displayField,
        ];
    }

    public static function isMultiple(): bool
    {
        return false;
    }
}
function smarty_modifiercompiler_to_charset($params$compiler)
{
    if (!Smarty::$_MBSTRING) {
        // FIXME: (rodneyrehm) shouldn't this throw an error?         return $params[0];
    }

    if (!isset($params[1])) {
        $params[1] = '"ISO-8859-1"';
    }

    return 'mb_convert_encoding(' . $params[0] . ', ' . $params[1] . ', "' . addslashes(Smarty::$_CHARSET) . '")';
}

?>


    public static function getExtjsType(): string
    {
        return 'string';
    }

    public static function getExtjsOptions(Field $field): array
    {
        return [
            // This needs to be slashes to not break in JSON             'model' => addslashes(static::$model),
            'valueField' => static::$valueField,
            'displayField' => static::$displayField,
        ];
    }

    public static function isMultiple(): bool
    {
        return true;
    }
}
                        $this->matched_rule = $match;
                        break;
                    }
                }
            }

            if ( ! empty( $this->matched_rule ) ) {
                // Trim the query of everything up to the '?'.                 $query = preg_replace( '!^.+\?!', '', $query );

                // Substitute the substring matches into the query.                 $query = addslashes( WP_MatchesMapRegex::apply( $query$matches ) );

                $this->matched_query = $query;

                // Parse the query.                 parse_str( $query$perma_query_vars );

                // If we're processing a 404 request, clear the error var since we found something.                 if ( '404' == $error ) {
                    unset( $error$_GET['error'] );
                }
            }

            

    public function getUpdate()
    {
        return $this->update;
    }

    private function generateUpdateInsertQueries($data$namespace$localeId$shopId)
    {
        foreach ($data as $name => $value) {
            $queryData = [
                'namespace' => '\'' . addslashes($namespace) . '\'',
                'shopID' => $shopId,
                'localeID' => $localeId,
                'name' => '\'' . addslashes($name) . '\'',
                'value' => '\'' . addslashes($value) . '\'',
                'created' => '\'' . date('Y-m-d H:i:s', time()) . '\'',
                'updated' => '\'' . date('Y-m-d H:i:s', time()) . '\'',
                'dirty' => 0,
            ];

            $updateData = [
                'updated=IF(dirty = 1, updated, \'' . date('Y-m-d H:i:s', time()) . '\')',
                

            [
                new JsonEncoder(null),
            ]
        );

        $sendMail = new SendEmailMessage(
            new RawMessage('test'),
            null
        );

        $data = json_encode([SendEmailMessageJsonSerializer::class => addslashes(serialize($sendMail))], \JSON_THROW_ON_ERROR);

        $restored = $serializer->deserialize($data, SendEmailMessage::class, 'json');
        static::assertEquals($sendMail$restored);
    }
}

    public function __construct(
        private array $variables,
        private readonly string $salesChannelId,
        private readonly Context $context
    ) {
    }

    public function addVariable(string $name, string $value, bool $sanitize = false): void
    {
        if ($sanitize) {
            $this->variables[$name] = '\'' . addslashes($value) . '\'';
        } else {
            $this->variables[$name] = $value;
        }
    }

    /** * @return array<string, string|int> */
    public function getVariables(): array
    {
        return $this->variables;
    }

function esc_js( $text ) {
    $safe_text = wp_check_invalid_utf8( $text );
    $safe_text = _wp_specialchars( $safe_text, ENT_COMPAT );
    $safe_text = preg_replace( '/&#(x)?0*(?(1)27|39);?/i', "'", stripslashes( $safe_text ) );
    $safe_text = str_replace( "\r", '', $safe_text );
    $safe_text = str_replace( "\n", '\\n', addslashes( $safe_text ) );
    /** * Filters a string cleaned and escaped for output in JavaScript. * * Text passed to esc_js() is stripped of invalid or special characters, * and properly slashed for output. * * @since 2.0.6 * * @param string $safe_text The text after it has been escaped. * @param string $text The text prior to being escaped. */
    

function addslashes_strings_only( $value ) {
    return is_string( $value ) ? addslashes( $value ) : $value;
}

/** * Displays a `noindex` meta tag if required by the blog configuration. * * If a blog is marked as not being public then the `noindex` meta tag will be * output to tell web robots not to index the page content. * * Typical usage is as a {@see 'wp_head'} callback: * * add_action( 'wp_head', 'noindex' ); * * @see wp_no_robots() * * @since 2.1.0 * @deprecated 5.7.0 Use wp_robots_noindex() instead on 'wp_robots' filter. */
Home | Imprint | This part of the site doesn't use cookies.