String Functions
Be carefull with adding the \ to the list of encoded characters. When you add it at the last position it encodes all encoding slashes. I got a lot of \\\ by this mistake.
So always encode \ at first.
addcslashes
(PHP 4, PHP 5)
addcslashes — Quote string with slashes in a C style
Description
string addcslashes
( string
$str
, string $charlist
)
Returns a string with backslashes before characters that are
listed in charlist parameter.
Parameters
-
str -
The string to be escaped.
-
charlist -
A list of characters to be escaped. If
charlistcontains characters \n, \r etc., they are converted in C-like style, while other non-alphanumeric characters with ASCII codes lower than 32 and higher than 126 converted to octal representation.When you define a sequence of characters in the charlist argument make sure that you know what characters come between the characters that you set as the start and end of the range.
Also, if the first character in a range has a higher ASCII value than the second character in the range, no range will be constructed. Only the start, end and period characters will be escaped. Use the ord() function to find the ASCII value for a character.<?php
echo addcslashes('foo[ ]', 'A..z');
// output: \f\o\o\[ \]
// All upper and lower-case letters will be escaped
// ... but so will the [\]^_`
?><?php
echo addcslashes("zoo['.']", 'z..A');
// output: \zoo['\.']
?>Be careful if you choose to escape characters 0, a, b, f, n, r, t and v. They will be converted to \0, \a, \b, \f, \n, \r, \t and \v. In PHP \0 (NULL), \r (carriage return), \n (newline), \f (form feed), \v (vertical tab) and \t (tab) are predefined escape sequences, while in C all of these are predefined escape sequences.
Return Values
Returns the escaped string.
Changelog
| Version | Description |
|---|---|
| 5.2.5 | The escape sequences \v and \f were added. |
Examples
charlist like "\0..\37", which would
escape all characters with ASCII code between 0 and 31.
Example #1 addcslashes() example
<?php
$escaped = addcslashes($not_escaped, "\0..\37!@\177..\377");
?>
See Also
- stripcslashes() - Un-quote string quoted with addcslashes
- stripslashes() - Un-quotes a quoted string
- addslashes() - Quote string with slashes
- htmlspecialchars() - Convert special characters to HTML entities
- quotemeta() - Quote meta characters
add a note
User Contributed Notes
addcslashes - [8 notes]
Johannes ¶
5 years ago
kongaspar at gmail dot com ¶
3 years ago
Perhaps the following is a more efficient JavaScript escape function:
<?php
function jsEscape($str) {
return addcslashes($str,"\\\'\"&\n\r<>");
}
?>
phpcoder at cyberpimp dot pimpdomain dot com ¶
8 years ago
If you are using addcslashes() to encode text which is to later be decoded back to it's original form, you MUST specify the backslash (\) character in charlist!
Example:
<?php
$originaltext = 'This text does NOT contain \\n a new-line!';
$encoded = addcslashes($originaltext, '\\');
$decoded = stripcslashes($encoded);
//$decoded now contains a copy of $originaltext with perfect integrity
echo $decoded; //Display the sentence with it's literal \n intact
?>
If the '\\' was not specified in addcslashes(), any literal \n (or other C-style special character) sequences in $originaltext would pass through un-encoded, but then be decoded into control characters by stripcslashes() and the data would lose it's integrity through the encode-decode transaction.
Anonymous ¶
9 years ago
<?php
function jsaddslashes($s)
{
$o="";
$l=strlen($s);
for($i=0;$i<$l;$i++)
{
$c=$s[$i];
switch($c)
{
case '<': $o.='\\x3C'; break;
case '>': $o.='\\x3E'; break;
case '\'': $o.='\\\''; break;
case '\\': $o.='\\\\'; break;
case '"': $o.='\\"'; break;
case "\n": $o.='\\n'; break;
case "\r": $o.='\\r'; break;
default:
$o.=$c;
}
}
return $o;
}
?>
<script language="javascript">
document.write("<? echo jsaddslashes('<h1 style="color:red">hello</h1>'); ?>");
</script>
output :
<script language="javascript">
document.write("\x3Ch1 style=\"color:red\"\x3Ehello\x3C/h1\x3E");
</script>
stein at visibone dot com ¶
5 years ago
addcslashes() treats NUL as a string terminator:
assert("any" === addcslashes("any\0body", "-"));
unless you order it backslashified:
assert("any\\000body" === addcslashes("any\0body", "\0"));
(Uncertain whether this should be declared a bug or simply that addcslashes() is not binary-safe, whatever that means.)
ruben at intesys dot it ¶
8 years ago
jsAddSlashes for XHTML documents:
<?php
header("Content-type: text/xml");
print <<<EOF
<?xml version="1.0"?>
<html>
<head>
<script type="text/javascript">
EOF;
function jsAddSlashes($str) {
$pattern = array(
"/\\\\/" , "/\n/" , "/\r/" , "/\"/" ,
"/\'/" , "/&/" , "/</" , "/>/"
);
$replace = array(
"\\\\\\\\", "\\n" , "\\r" , "\\\"" ,
"\\'" , "\\x26" , "\\x3C" , "\\x3E"
);
return preg_replace($pattern, $replace, $str);
}
$message = jsAddSlashes("\"<Hello>\",\r\n'&World'\\!");
print <<<EOF
alert("$message");
</script>
</head>
<body>
<h1>Hello, World!</h1>
</body>
</html>
EOF;
?>
natNOSPAM at noworrie dot NO_SPAM dot com ¶
10 years ago
I have found the following to be much more appropriate code example:
<?php
$escaped = addcslashes($not_escaped, "\0..\37!@\@\177..\377");
?>
This will protect original, innocent backslashes from stripcslashes.
phpcoder at cyberpimp dot pimpdomain dot com ¶
8 years ago
Forgot to add something:
The only time you would likely use addcslashes() without specifying the backslash (\) character in charlist is when you are VALIDATING (not encoding!) a data string.
(Validation ensures that all control characters and other unsafe characters are correctly encoded / escaped, but does not alter any pre-existing escape sequences.)
You can validate a data string multiple times without fear of "double encoding". A single decoding pass will return the original data, regardless of how many times it was validated.)