Where are we?

You know how to get form data into a PHP program. Let’s talk about an annoying thing that PHP does to text strings.

This lesson’s goals

In this lesson, you learn:

• That PHP’s magic quotes feature adds extra backslashes to text.

• How to use the stripslashes() function to fix the problem.

Strings with quotes

Look at the name form again. Here it is, with some data:

Figure 1. Input

When the user clicks the button, the form data is sent to this page:

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Strict//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title></title>
  </head>
  <body>
    <?php
    $first_name = $_POST['first_name'];
    $surname = $_POST['surname'];
    ?>
    <p>Your name is <?php print $first_name . ' ' . $surname; ?>.</p>
  </body>
</html>

Figure 2. Process form data

Here is the output:

Figure 3. Output

No problem.

But suppose the user has a name with a quote (’) in it, like this:

Figure 4. Input with quote

This is the result:

Figure 5. Output with quote

There’s a backslash in the output (\). You can try it.

Huh? Where did that backslash come from?

The magic quotes setting

PHP has a bunch of settings that change how it works. For example, you can set the maximum time a PHP program is allowed to run.

One of the settings is “magic quotes.” It’s either on or off. When it’s on, PHP looks at all the text data coming in from forms. If it finds a quote, it will put a backslash in front of it. So it converts De'ev to De\'ev.

If magic quotes is off, no conversion happens. De'ev stays De'ev.

Here’s the output again:

Figure 4 (again). Output with quote

This came from a PHP program running on a server. The server had magic quotes on. Hence the backslash.

I turned magic quotes off, and ran the program again. I got:

Figure 5. No backslash

Getting rid of the backslashes

There are two ways to get rid of the extra backslashes. One way is to turn the magic quotes setting off in PHP. But to do that, you need access to a special settings file. You may or may not have access, depending on your hosting account.

The second way is to call PHP’s stripslashes() function. It does what its name says. You give it a string, and it goes through and removes the backslashes.

Here’s the code again, with a slight change:

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Strict//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
    <title></title>
  </head>
  <body>
    <?php
    $first_name = $_POST['first_name'];
    $first_name = stripslashes($first_name);
    $surname = $_POST['surname'];
    $surname = stripslashes($surname);
    ?>
    <p>Your name is <?php print $first_name . ' ' . $surname; ?>.</p>
  </body>
</html>

Figure 6. Using stripslashes()

Lines 10 strips out the slashes from $first_name, and puts the result back into $first_name. Line 12 does the same for $surname.

You could also write it like this:

<?php
$first_name = stripslashes($_POST['first_name']);
$surname = stripslashes($_POST['surname']);
?>
<p>Your name is <?php print $first_name . ' ' . $surname; ?>.</p>

Figure 7. Using stripslashes() again

It works the same. Line 9 takes the value of the form field first_name, strips out the backslashes, and puts the result into $first_name.

You could also do this:

<?php
$first_name = $_POST['first_name'];
$surname = $_POST['surname'];
?>
<p>Your name is <?php print stripslashes($first_name) . ' ' . stripslashes($surname); ?>.</p>

Figure 8. Using stripslashes() again again

This version moves the calls to stripslashes() to the output.

Summary

In this lesson, you learned:

• That PHP’s magic quotes feature adds extra backslashes to text.

• How to use the stripslashes() function to fix the problem.

What now?

Let’s see how you can do computations on form data.