Note:

If you want to create a new page for developers, you should create it on the Moodle Developer Resource site.

Slashes

From MoodleDocs
Revision as of 12:07, 7 October 2006 by Gustav Delius (talk | contribs)

The functions addslashes() and stripslashes() are misused often, so here is a short explanation of what they are for and when they should be used.

Before entering data into a database, special symbols like single or double quotes need to be escaped by a backslash. So for example every ' needs to be converted to \' in any string that is to be stored in the database. When the string is fetched back from the database it comes back without those slashes. So if data that comes directly from the database is to be written back to the database it needs to have the slashes added to it again. This is an example where the addslashes() function should be used.

Because data submitted by the user will often need to be written to the database, Moodle ensures that it automatically gets slashes added to it. So you never have to use addslashes() on data that comes from the user. If however you want to display data that was submitted by the user then you have to strip the slashes that have been added. This is an example where the stripslashes() function should be used.

The whole situation can be summarized in the following diagram:

Neither stripslashes() nor addslashes() should be used when going from User Input to the Database or from the Database to Screen Output (black arrows) but stripslashes() should be used when displaying user input on the screen (red arrow) and addslashes() should be used when reinserting data in to the database that came from the database (blue arrow). These last two are rare, so the use of addslashes and stripslashes should be rare.

Sometimes you may want to add slashes or remove slashes from all proprties of an object at once. Moodle provides the very convenient functions addslashes_object() and stripslashes_recursive(). The latter also works on arrays.

Moodle provides a function called stripslashes_safe() which only strips slashes in front of single and double quotes and in front of a backslash, so \' becomes ', \" becomes ", and \\ becomes \. Any other slashes, as in C:\Moodle for example, are preserved. It was introduced because in some circumstances it may not matter if this function is applied too often. However I find this function dangerous, because it may make you think that everything is fine until one of your users wants to include a bit of code in their input for example. I would not have been able to write this paragraph (with the \' in it) if it had been passed through stripslashes_safe().

Some core Moodle functions use stripslashes_safe():

print_heading()
print_heading_with_help()
print_heading_block()
print_simple_box()

It usually doesn't matter too much for headings, because including \\, \', or \" in headings is unusual, but it does matter in print_simple_box() and therefore the advice would be to avoid using this function and to use the print_simple_box_start() and print_simple_box_end() pair.