1

So, when I save the data into database, PHP will add a \ on single or double quotes. That is good.

However, when data is passed back to the client using json_encode(); TEXT like McDonald's is STORED as McDonald's in the DB but once passed back from PHP to js, it will be encoded as McDonald\'s

Since I'm using jQuery, is there any plugin to easily do that? or any function I should use to strip the slashes correctly? obviously, if there is case like \\\\s, the function should return \s. :)

Sorry guys. I think I made my question too complicated. How about I make it simpler..

If I have a javascript variable:

var abc = "McDonald\'s";
var bcd = "I need a slash \\ ";
var cde = "save the double quote \"";

how can I strip the \' ? what the regex I should use?

Improve this question
5
  • 1
    I'm a little worried about a lot of the answers here. My PHP security knowledge is somewhat dated, so I'm not really qualified to give a good answer here, but it is vitally important that if you do turn off magic quotes, you replace it with a better escaping system. Your goals should be to prevent both SQL injection and cross-site scripting attacks. I normally would use mysql_real_escape_string($user_input) going into the DB and htmlentities($db_output) going out to the client -- but this may not be considered 100% safe any more. Hopefully someone can give better advice. Commented Oct 25, 2010 at 2:09
  • 1
    What are you using in your JS to parse the JSON? Whatever you use whould de-escape everything, if it's generated properly (which json_encode will do). Commented Oct 25, 2010 at 2:41
  • @Andrew That advice is still sound, though generally you want to encode to a view with htmlspecialchars(). It is sufficient. Commented Oct 25, 2010 at 8:46
  • Hi @alex. This is a can of worms I'm not qualified to open, but my preference in the past was to go with htmlentities() because it is significantly more destructive to user input, without having any visible impact on the rendered page (as long as you match the page encoding). When I did some studying of hacking methods three years ago, I was appalled at the variety of unicode characters available to a determined hacker -- and I still don't understand how many of these techniques worked. And I'm still not 100% sure htmlentities() is safe, but I know it's safer than htmlspecialchars(). Commented Oct 25, 2010 at 13:55
  • @Andrew Well htmlspecialchars() targets just the characters generally used for XSS. I think using htmlentities() will do the same, but just bloat the page using &#xx; style encoding for exotic characters, and most encoded stuff can be achieved by using UTF-8 as the character set. Commented Oct 25, 2010 at 14:01

5 Answers 5

Reset to default
8

It's actually highly discouraged to use this "magic quotes" feature that inserts slashes. In general, you never want to store data in the database in an escaped format; you want to do the escaping and encoding in the output.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Actually, I just check the DB, the magic quote is off. It will store McDonald's in DB. HOWEVER, the data generated from json_encode will attach the \'. That has to like that when getting back to JSON. BUT how can I remove the strip in JS?
That's not quite correct; you want to escape data where it leaves the application in a way appropriate to where it's going. That is, you escape it for SQL generation in a way that doesn't store it escaped.
@seatoskyhk, as @alex explains in his answer, use a JSON parser in JavaScript.
4

I would take care of the main problem - magic_quotes is enabled.

I would disable it and use proper escaping methods with your database.

Then you don't have to worry about PHP magically adding slashes.

If you are talking about slashes when using json_encode(), it does that for a reason.

Use a JSON parser in JavaScript and you won't see them (unless something else is improperly encoding them).

Improve this answer

1 Comment

For the JSON part, that exactly I need to figure out.. I don't want to have \' when I extract the data.
1

Yes. http://phpjs.org/functions/stripslashes:537

Improve this answer

2 Comments

I read that already. but it is so messy that other people's comment provide different things and saying it doesn't work in IE...
That one doesn't work. .return error... unmatched ) in regular expression
1

Try this too 

function stripslashes (str) {

  return (str + '').replace(/\\(.?)/g, function (s, n1) {
    switch (n1) {
    case '\\':
      return '\\';
    case '0':
      return '\u0000';
    case '':
      return '';
    default:
      return n1;
    }
  });
}
Improve this answer

Comments

0

Use: http://au.php.net/manual/en/function.mysql-real-escape-string.php before storing into database.

Use a custom function like this before writing onto any user interface:

function unescape($string)
{

$search = array("\\x00", "\\n", "\\r", "\\\x1a");

$replace = array("\x00","\n", "\r", "\x1a");

$retString = str_replace($search, $replace, $string);

$search = array("\'", '\\'.'"');

$replace = array(  "'", '"',);

$retString = str_replace($search, $replace, $retString);

$search = array("\\\\");

$replace = array( "\\");

$retString = str_replace($search, $replace, $retString);

return $retString

}
Improve this answer

1 Comment

Better than mine.. lol i have a new function that have \\\\\\\\\\\\\\\\

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.