字符串函数
在线手册:中文 英文
PHP手册

addcslashes

(PHP 4, PHP 5)

addcslashes以 C 语言风格使用反斜线转义字符串中的字符

说明

string addcslashes ( string $str , string $charlist )

返回字符串,该字符串在属于参数 charlist 列表中的字符前都加上了反斜线。如果 charlist 中包含有 \n\r 等字符,将以 C 语言风格转换,而其它非字母数字且 ASCII 码低于 32 以及高于 126 的字符均转换成使用八进制表示。

当选择对字符 0,a,b,f,n,r,t 和 v 进行转义时需要小心,它们将被转换成 \0,\a,\b,\f,\n,\r,\t 和 \v。在 PHP 中,只有 \0(NULL),\r(回车符),\n(换行符)和 \t(制表符)是预定义的转义序列, 而在 C 语言中,上述的所有转换后的字符都是预定义的转义序列。

charlist 参数,如“\0..\37”,将转义所有 ASCII 码介于 0 和 31 之间的字符。

Example #1 addcslashes() 例子

<?php
$escaped 
addcslashes($not_escaped"\0..\37!@\177..\377");
?>

当定义 charlist 参数中的字符序列时,需要确实知道介于自己设置的开始及结束范围之内的都是些什么字符。

<?php
echo addcslashes('foo[ ]''A..z');
// 输出:\f\o\o\[ \]
// 所有大小写字母均被转义
// ... 但 [\]^_` 以及分隔符、换行符、回车符等也一并被转义了。
?>
另外,如果设置范围中的结束字符 ASCII 码高于开始字符,则不会创建范围,只是将开始字符、结束字符以及其间的字符逐个转义。可使用 ord() 函数获取字符的 ASCII 码值。
<?php
echo addcslashes("zoo['.']"'z..A');
// 输出:\zoo['\.']
?>

参见 stripcslashes()stripslashes()addslashes()htmlspecialchars()quotemeta()


字符串函数
在线手册:中文 英文
PHP手册
PHP手册 - N: 以 C 语言风格使用反斜线转义字符串中的字符

用户评论:

kongaspar at gmail dot com (27-Jul-2009 01:33)

Perhaps the following is a more efficient JavaScript escape function:

<?php
function jsEscape($str) {
    return
addcslashes($str,"\\\'\"&\n\r<>");
}
?>

stein at visibone dot com (12-Nov-2007 11:16)

addcslashes() treats NUL as a string terminator:

   assert("any"  === addcslashes("any\0body", "-"));

unless you order it backslashified:

   assert("any\\000body" === addcslashes("any\0body", "\0"));

(Uncertain whether this should be declared a bug or simply that addcslashes() is not binary-safe, whatever that means.)

Johannes (27-Oct-2007 01:34)

Be carefull with adding the \ to the list of encoded characters. When you add it at the last position it encodes all encoding slashes. I got a lot of \\\ by this mistake.

So always encode \ at first.

phpcoder at cyberpimp dot pimpdomain dot com (20-Jan-2005 08:35)

Forgot to add something:
The only time you would likely use addcslashes() without specifying the backslash (\) character in charlist is when you are VALIDATING (not encoding!) a data string.

(Validation ensures that all control characters and other unsafe characters are correctly encoded / escaped, but does not alter any pre-existing escape sequences.)

You can validate a data string multiple times without fear of "double encoding".  A single decoding pass will return the original data, regardless of how many times it was validated.)

phpcoder at cyberpimp dot pimpdomain dot com (20-Jan-2005 07:02)

If you are using addcslashes() to encode text which is to later be decoded back to it's original form, you MUST specify the backslash (\) character in charlist!

Example:

<?php
  $originaltext
= 'This text does NOT contain \\n a new-line!';
 
$encoded = addcslashes($originaltext, '\\');
 
$decoded = stripcslashes($encoded);
 
//$decoded now contains a copy of $originaltext with perfect integrity
 
echo $decoded; //Display the sentence with it's literal \n intact
?>

If the '\\' was not specified in addcslashes(), any literal \n (or other C-style special character) sequences in $originaltext would pass through un-encoded, but then be decoded into control characters by stripcslashes() and the data would lose it's integrity through the encode-decode transaction.

ruben at intesys dot it (31-May-2004 05:51)

jsAddSlashes for XHTML documents:

<?php
header
("Content-type: text/xml");

print <<<EOF
<?xml version="1.0"?>
<html>
<head>
<script type="text/javascript">

EOF;

function
jsAddSlashes($str) {
   
$pattern = array(
       
"/\\\\/"  , "/\n/"    , "/\r/"    , "/\"/"    ,
       
"/\'/"    , "/&/"     , "/</"     , "/>/"
   
);
   
$replace = array(
       
"\\\\\\\\", "\\n"     , "\\r"     , "\\\""    ,
       
"\\'"     , "\\x26"   , "\\x3C"   , "\\x3E"
   
);
    return
preg_replace($pattern, $replace, $str);
}

$message = jsAddSlashes("\"<Hello>\",\r\n'&World'\\!");

print <<<EOF
alert("$message");
</script>
</head>
<body>
<h1>Hello, World!</h1>
</body>
</html>

EOF;
?>

(21-Sep-2003 07:44)

<?php
function jsaddslashes($s)
{
 
$o="";
 
$l=strlen($s);
 for(
$i=0;$i<$l;$i++)
 {
 
$c=$s[$i];
  switch(
$c)
  {
   case
'<': $o.='\\x3C'; break;
   case
'>': $o.='\\x3E'; break;
   case
'\'': $o.='\\\''; break;
   case
'\\': $o.='\\\\'; break;
   case
'"'$o.='\\"'; break;
   case
"\n": $o.='\\n'; break;
   case
"\r": $o.='\\r'; break;
   default:
  
$o.=$c;
  }
 }
 return
$o;
}

?>
<script language="javascript">
document.write("<? echo jsaddslashes('<h1 style="color:red">hello</h1>'); ?>");
</script>

output :

<script language="javascript">
document.write("\x3Ch1 style=\"color:red\"\x3Ehello\x3C/h1\x3E");
</script>

natNOSPAM at noworrie dot NO_SPAM dot com (18-May-2002 12:22)

I have found the following to be much more appropriate code example:

<?php
$escaped
= addcslashes($not_escaped, "\0..\37!@\@\177..\377");
?>

This will protect original, innocent backslashes from stripcslashes.