PHP 手册
后退前进


stripslashes

(PHP 3, PHP 4, PHP 5)

stripslashes --  Un-quote string quoted with addslashes()

Description

string stripslashes ( string str )

Returns a string with backslashes stripped off. (\' becomes ' and so on.) Double backslashes (\\) are made into a single backslash (\).

注: If magic_quotes_sybase is on, no backslashes are stripped off but two apostrophes are replaced by one instead.

An example use of stripslashes() is when the PHP directive magic_quotes_gpc is on (it's on by default), and you aren't inserting this data into a place (such as a database) that requires escaping. For example, if you're simply outputting data straight from an HTML form.

例子 1. A stripslashes() example

<?php
$str = "Is your name O\'reilly?";

// Outputs: Is your name O'reilly?
echo stripslashes($str);
?>

注: stripslashes() is not recursive. If you want to apply this function to a mutli-dimensional array, you need to use a recursive function.

例子 2. Using stripslashes() on an array

<?php
function stripslashes_deep($value)
{
    $value = is_array($value) ?
                array_map('stripslashes_deep', $value) :
                stripslashes($value);

    return $value;
}

// Example
$array = array("f\\'oo", "b\\'ar", array("fo\\'o", "b\\'ar"));
$array = stripslashes_deep($array);

// Output
print_r($array);
?>

上例将输出:

Array
(
    [0] => f'oo
    [1] => b'ar
    [2] => Array
        (
            [0] => fo'o
            [1] => b'ar
        )

)

For more information about "magic quotes", see get_magic_quotes_gpc().

See also addslashes() and get_magic_quotes_gpc().


add a note add a note User Contributed Notes
kevin at digital-nw dot com
15-Jul-2006 03:53
Why double nest the if's like that? All you need to do is check that the value is a string type as only these are effected by GPC. Also need to check for empty to avoid the NULL issues, and if it is empty "" there isn't much reason to do anything anyway.

<?
if ( get_magic_quotes_gpc() ) {
   function stripslashes_deep($value) {
       if( is_array($value) )
       {
             $value = array_map('stripslashes_deep', $value)
       }
       elseif ( !empty($value) && is_string($value) )
       {
             $value = stripslashes($value);
       }
       return $value;
   }

   $_POST = stripslashes_deep($_POST);
   $_GET = stripslashes_deep($_GET);
   $_COOKIE = stripslashes_deep($_COOKIE);
}
?>
Kibby
14-May-2006 05:49
For hauser's note, here's a solution:

<?
if ( get_magic_quotes_gpc() ) {
   function stripslashes_deep($value) {
       $value = is_array($value) ? array_map('stripslashes_deep', $value) : (isset($value) ? stripslashes($value) : null);
       return $value;
   }

   $_POST = stripslashes_deep($_POST);
   $_GET = stripslashes_deep($_GET);
   $_COOKIE = stripslashes_deep($_COOKIE);
}
?>
Kibby
14-May-2006 04:41
Okay, if using stripslashes_deep, it will definitely replace any NULL to "".  This will affect to coding that depends isset().  Please provide a workaround based on recent note.
hauser dot j at gmail dot com
21-Feb-2006 06:13
Don't use stripslashes if you depend on the values NULL.

Apparently stripslashes converts NULL to string(0) ""

<?php
$a = null;
var_dump($a);

$b = stripslashes($a);
var_dump($b);
?>
Will output

NULL
string(0) ""
alexandre dot lemiere at laposte dot net
17-Jan-2006 12:39
if you want to strip the slashes on your post variables you'd better use function stripslashes_deep from above. Because POST could contain arrays.

ie :
if ( get_magic_quotes_gpc() ) {
   function stripslashes_deep($value) {
       $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value);
       return $value;
   }
   $_POST = stripslashes_deep($_POST);
   $_GET = stripslashes_deep($_GET);
   $_COOKIE = stripslashes_deep($_COOKIE);
}
php at baskettcase dot com
09-Dec-2005 09:28
Ugh. Ok sorry I used the wrong function, I should have used array_map

$_POST = array_map('stripslashes', $_POST);
php at baskettcase dot com
09-Dec-2005 08:53
array_walk is not used enough. I see several people doing a foreach to strip the slashes on their post variables, why not do this:

array_walk($_GET, 'stripslashes');
array_walk($_POST, 'stripslashes');
array_walk($_REQUEST, 'stripslashes');

use whichever you normally use in your code.
aescomputer AT yahoo DOT com
28-Oct-2005 01:35
I was inspired by sam's code to use it to strip tags into rendered info by making < and > into '&lt; and &gt; respectively:

// clean url attributes of html tags
   if(!empty($_REQUEST)){
       foreach($_REQUEST as $x => $y){
           $_REQUEST[$x] = str_replace('<', '&lt;', str_replace('>', '&gt;', $y));
       }
   }
alf at mitose dot net
26-Oct-2005 08:09
Take care using stripslashes() if the text you want to insert in the database contain \n characters ! You'll see "n" instead of (not seeing) "\n".

It should be no problem for XML, but is still boring ...
ndl at webspeed dot dk
17-Oct-2005 01:28
The note below still outputted slashes in my script, this one removes it all. It is really just a repeat of the below note, and is quite simple, but it made it work for me (after a few hours with unremoveable slashes)

if(!empty($_POST)){
   foreach($_POST as $x => $y){
       $_POST[$x] = stripslashes($y);
       foreach($_POST as $x => $y){
           $_POST[$x] = stripslashes($y);
       }
   }
}
sam AT emovieposter DOT com
10-Oct-2005 11:21
If you are simply looking to clear slashes from you POST and GET variables, this seems to work well...

<?PHP
if(!empty($_POST)){
foreach($_POST as $x => $y){
$_POST[$x] = stripslashes($y);
}
}
?>

it's simple.
r_loebs at hotmail dot com
25-Jun-2005 10:03
Of course why not just do an

if($r){ stuff; } <-- this will check it all, NULL, 0, ""
john at NOSPAMdoe dot com
30-Mar-2005 12:01
To avoid having to repeatedly check for magic quotes, use this piece of code:

<?php

eval('function cndstrips($str)
{
  return ' . (get_magic_quotes_gpc() ? 'stripslashes($str)' : '$str') . ';
}');

?>

somewhere in the first lines. After this, you can use cndstrips (conditional strip slashes, ofcourse you can rename) instead of stripslashes, and without having to worry about stripping normal strings.

Don't overdo it, however.

If stripping slashes just once is all that matters, try something like this:

<?php

if (get_magic_quotes_gpc())
{
  if (is_array($_POST)
   foreach($_POST  as  $k=>$v) if (is_string($v) $_POST[$k] = stripslashes($v);
  if (is_array($_COOKIE)
   foreach($_COOKIE as $k=>$v) if (is_string($v)$_COOKIE[$k]= stripslashes($v);
  if (is_array($_GET)
   foreach($_GET    as $k=>$v) if (is_string($v) $_GET[$k]  = stripslashes($v);
}

?>

This works with PHP4.
ferik100 at flexis dot com dot br
15-Feb-2005 08:05
Here's a function to get rid of slashes added by magic_quotes_gpc. The parameter it takes can be either a string or an array. I use it to clean up $_POST arrays before processing their contents (rather than stripping slashes from each key and value as the contents are being processed).

function strip_gpc_slashes ($input)
{
   if ( !get_magic_quotes_gpc() || ( !is_string($input) && !is_array($input) ) )
   {
       return $input;
   }

   if ( is_string($input) )
   {
       $output = stripslashes($input);
   }
   elseif ( is_array($input) )
   {
       $output = array();
       foreach ($input as $key => $val)
       {
           $new_key = stripslashes($key);
           $new_val = strip_gpc_slashes($val);
           $output[$new_key] = $new_val;
       }
   }

   return $output;
}

Note: With PHP5 at least this function will preserve user-submitted slashes, so if a user types 'test\' in a form field, this function will return exactly 'test\', not 'test', as suggested by mattyblah at gmail dot com.
10-Feb-2005 11:45
If you want to deal with slashes in double-byte encodings, such as shift_jis or big5, you may use this:

<?
function stripslashes2($string) {
   $string = str_replace("\\\"", "\"", $string);
   $string = str_replace("\\'", "'", $string);
   $string = str_replace("\\\\", "\\", $string);
   return $string;
}
?>
pasamio AT sirdurkus DOT net
30-Sep-2004 07:55
If your trying to pull out some variables from $_REQUEST and directly output them (in my case, quoted text from a search query directly into a HTML text box) with magic_quotes_gpc on use:

htmlspecialchars(stripslashes($searchtext));

For example:

<input type="Text" name="searchtext" value="<?php echo htmlspecialchars(stripslashes($searchtext)); ?>"><br>

$searchtext was pulled from the $_REQUEST variable where $searchtext = "lifeline \"darling downs\""; It properly returns this (including quotes) in the text box.
mattyblah at gmail dot com
10-Sep-2004 11:51
It should be of note that if you are stripping slashes to get rid of the slashes added by magic_quotes_gpc then it will also remove slashes from \. This may not seem that bad but if you have someone enter text such as 'testing\' with a slash at the end, this will cause an error if not corrected. It's best to strip the slashes, then add a slash to every single slash using $text = str_replace('\\', '\\\\', $text);
hash at samurai dot fm
01-Dec-2003 01:34
Might I warn readers that they should be vary careful with the use of stripslashes on Japanese text. The shift_jis character set includes a number of two-byte code charcters that contain the hex-value 0x5c (backslash) which will get stripped by this function thus garbling those characters.

What a nightmare!
add a note add a note


后退起点前进
stripos上一级stristr