echo addcslashes("zoo['.']", 'z..A');
Above code will create an error as per below
Invalid '..'-range, '..'-range needs to be incrementing -
(PHP 4, PHP 5, PHP 7, PHP 8)
addcslashes — 以 C 语言风格使用反斜线转义字符串中的字符
$str
, string $charlist
) : string
返回字符串,该字符串在属于参数 charlist
列表中的字符前都加上了反斜线。
str
要转义的字符。
charlist
如果 charlist
中包含有 \n
,\r
等字符,将以 C 语言风格转换,而其它非字母数字且 ASCII 码低于 32 以及高于 126
的字符均转换成使用八进制表示。
当定义 charlist 参数中的字符序列时,需要确实知道介于自己设置的开始及结束范围之内的都是些什么字符。
<?php
echo addcslashes('foo[ ]', 'A..z');
// 输出:\f\o\o\[ \]
// 所有大小写字母均被转义
// ... 但 [\]^_` 以及分隔符、换行符、回车符等也一并被转义了。
?>
<?php
echo addcslashes("zoo['.']", 'z..A');
// 输出:\zoo['\.']
?>
当选择对字符 0,a,b,f,n,r,t 和 v 进行转义时需要小心,它们将被转换成 \0,\a,\b,\f,\n,\r,\t 和 \v。在 PHP 中,只有 \0(NULL),\r(回车符),\n(换行符)和 \t(制表符)是预定义的转义序列, 而在 C 语言中,上述的所有转换后的字符都是预定义的转义序列。
返回转义后的字符。
版本 | 说明 |
---|---|
5.2.5 | The escape sequences \v and \f were added. |
charlist
参数,如"\0..\37",将转义所有
ASCII 码介于 0 和 31 之间的字符。
Example #1 addcslashes() 例子
<?php
$escaped = addcslashes($not_escaped, "\0..\37!@\177..\377");
?>
echo addcslashes("zoo['.']", 'z..A');
Above code will create an error as per below
Invalid '..'-range, '..'-range needs to be incrementing -
If you need JS escaping function, use json_encode() instead.
addcslashes() treats NUL as a string terminator:
assert("any" === addcslashes("any\0body", "-"));
unless you order it backslashified:
assert("any\\000body" === addcslashes("any\0body", "\0"));
(Uncertain whether this should be declared a bug or simply that addcslashes() is not binary-safe, whatever that means.)
Be carefull with adding the \ to the list of encoded characters. When you add it at the last position it encodes all encoding slashes. I got a lot of \\\ by this mistake.
So always encode \ at first.
If you are using addcslashes() to encode text which is to later be decoded back to it's original form, you MUST specify the backslash (\) character in charlist!
Example:
<?php
$originaltext = 'This text does NOT contain \\n a new-line!';
$encoded = addcslashes($originaltext, '\\');
$decoded = stripcslashes($encoded);
//$decoded now contains a copy of $originaltext with perfect integrity
echo $decoded; //Display the sentence with it's literal \n intact
?>
If the '\\' was not specified in addcslashes(), any literal \n (or other C-style special character) sequences in $originaltext would pass through un-encoded, but then be decoded into control characters by stripcslashes() and the data would lose it's integrity through the encode-decode transaction.
jsAddSlashes for XHTML documents:
<?php
header("Content-type: text/xml");
print <<<EOF
<?xml version="1.0"?>
<html>
<head>
<script type="text/javascript">
EOF;
function jsAddSlashes($str) {
$pattern = array(
"/\\\\/" , "/\n/" , "/\r/" , "/\"/" ,
"/\'/" , "/&/" , "/</" , "/>/"
);
$replace = array(
"\\\\\\\\", "\\n" , "\\r" , "\\\"" ,
"\\'" , "\\x26" , "\\x3C" , "\\x3E"
);
return preg_replace($pattern, $replace, $str);
}
$message = jsAddSlashes("\"<Hello>\",\r\n'&World'\\!");
print <<<EOF
alert("$message");
</script>
</head>
<body>
<h1>Hello, World!</h1>
</body>
</html>
EOF;
?>
<?php
function jsaddslashes($s)
{
$o="";
$l=strlen($s);
for($i=0;$i<$l;$i++)
{
$c=$s[$i];
switch($c)
{
case '<': $o.='\\x3C'; break;
case '>': $o.='\\x3E'; break;
case '\'': $o.='\\\''; break;
case '\\': $o.='\\\\'; break;
case '"': $o.='\\"'; break;
case "\n": $o.='\\n'; break;
case "\r": $o.='\\r'; break;
default:
$o.=$c;
}
}
return $o;
}
?>
<script language="javascript">
document.write("<? echo jsaddslashes('<h1 style="color:red">hello</h1>'); ?>");
</script>
output :
<script language="javascript">
document.write("\x3Ch1 style=\"color:red\"\x3Ehello\x3C/h1\x3E");
</script>
I have found the following to be much more appropriate code example:
<?php
$escaped = addcslashes($not_escaped, "\0..\37!@\@\177..\377");
?>
This will protect original, innocent backslashes from stripcslashes.