Slashes

From MoodleDocs
Jump to: navigation, search

WARNING: The new Database API in Moodle 2.0 made this obsolete. Do not use addslahes() any more.

The functions addslashes() and stripslashes() are misused often, so here is a short explanation of what they are for and when they should be used.

Before entering data into a database, special symbols like single or double quotes need to be escaped by a backslash. So for example every ' needs to be converted to \' in any string that is to be stored in the database. When the string is fetched back from the database it comes back without those slashes. So if data that comes directly from the database is to be written back to the database it needs to have the slashes added to it again. This is an example where the addslashes() function should be used.

Because data submitted by the user will often need to be written to the database, Moodle ensures that it automatically gets slashes added to it. So you never have to use addslashes() on data that comes from the user. If however you want to display data that was submitted by the user then you have to strip the slashes that have been added. This is an example where the stripslashes() function should be used.

The whole situation can be summarized in the following diagram:

Stripslashes.jpg

Neither stripslashes() nor addslashes() should be used when going from User Input to the Database or from the Database to Screen Output (black arrows) but stripslashes() should be used when displaying user input on the screen (red arrow) and addslashes() should be used when reinserting data in to the database that came from the database (blue arrow). These last two are rare, so the use of addslashes and stripslashes should be rare.

Please note that when outputting strings from the database, you should never simply use echo or something similar but should use Moodle's output functions.

Sometimes you may want to add slashes or remove slashes from all properties of an object at once. Moodle provides the very convenient functions addslashes_object() and stripslashes_recursive(). The latter also works on arrays.

One thing to watch out for is that the parameter type PARAM_CLEANHTML strips slashes, so you have to add slashes before putting data cleaned this way into the database or user PARAM_CLEAN instead.

Moodle provides a function called stripslashes_safe() which only strips slashes in front of single and double quotes and in front of a backslash, so \' becomes ', \" becomes ", and \\ becomes \. Any other slashes, as in C:\Moodle for example, are preserved. It was introduced because in some circumstances it may not matter if this function is applied too often. However I find this function dangerous, because it may make you think that everything is fine until one of your users wants to include a bit of code in their input for example. I would not have been able to write this paragraph (with the \' in it) if it had been passed through stripslashes_safe().

Some core Moodle functions use stripslashes_safe():

print_heading()
print_heading_with_help()
print_heading_block()
print_simple_box()

It usually doesn't matter too much for headings, because including \\, \', or \" in headings is unusual, but it does matter in print_simple_box() and therefore the advice would be to avoid using this function and to use the print_simple_box_start() and print_simple_box_end() pair.

Personal tools
In other languages
User docs (English)