Un-quote string quoted with addcslashes
(PHP 4, PHP 5)
Code Examples / Notes » stripcslashes
stripcslashes does not accept hexadecimal escape sequences of more than two digits, even though C does. This means that all of the following are true (in C the second and third examples would contain the characters '\x48e' and '\x323' respectively):
stripcslashes('H\x65llo') == 'Hello'
stripcslashes('\x48ello') == 'Hello'
stripcslashes('1\x323') == '123'
stripcslashes does accept hexadecimal escape sequences of only one digit, as long as the following digit is not a valid hexadecimal digit, so both of the following are true:
stripcslashes('He\xallo') == 'He'."\n".'llo'
stripcslashes('H\xaello') == 'H'.chr(0xAE).'llo'
The fact that stripcslashes is limited to two hexadecimal digits looks like a bug at first glance, but it can be a feature. You can, for example, do a simple str_replace(':', '\x3a', $str) to replace all colons in a string with '\x3a' without having to worry about whether or not the next character will be interpreted as a hexadecimal digit.
If this "bug" is ever fixed, there will be no way in PHP to escape the colon in the string 'a:b' with a hexadecimal representation, since the 'b' would be interpreted as the hexadecimal digit 11. The string 'a\x3ab' would be interpreted as 'a'.chr(0x3AB).
if you allow users to submit fields with apostrophy's inside, what you should do is pass that string into "stripcslashes()" to remove any slashes that may be automatically added by whatever that is causing it. As usual, you should verify this for yourself by creating a form and output the raw data in plain text format to make sure you have it right. The reason why MySQL does seem to ignore this problem is because it takes the "\'" and treat it as "'".