Reputation: 756
How to unquote a string in PHP
If I quote a variable to prevent SQL injection as such:
$safe_email = $db->quote($_POST['email']);
If $_POST['email'] = [email protected]
and I do the following:
echo $safe_email;
I get:
"[email protected]"
The PHP Documentation says that the stripslashes function "Un-quotes a quoted string".
However when I use it on my quoted string as such:
echo stripslashes($safe_email);
I still get the string printed out in quotes
What seems to be the problem here? It's still printing out in quotes
Upvotes: 0
Views: 8911
Answers (3)
Reputation: 1671
Sometimes you just want to remove quotation marks from the beginning and end of a string, and restore characters escaped with "\" in PHP. This is the intuitive meaning of "unquoting a string".
For example, the expression var_export($value,true) always single-quotes its result and escapes certain characters.
This expression will "unquote" such a string nicely: stripslashes(substr(substr($str,1),0,-1)).
Upvotes: 0
Reputation: 521995
There isn't necessarily a direct inverse of the quote function (assuming PDO::quote here). It surrounds the value by quotes and escapes special characters inside the string to form a valid SQL string literal according to the underlying driver of the database. And that may vary a bit from database to database and the specifics of your connection. You should also never need to unquote a string, because you're not supposed to use the quoted string in any other place but an SQL query:
sprintf('SELECT ... WHERE foo = %s', $pdo->quote($value))
There's no reason whatsoever to quote the value, and then unquote it again to use it anywhere else but an SQL query. Just use the original $value instead of the quoted value. And of course, you should be using prepared statements with bound parameters instead of manual quoting to begin with, so you should hardly have any reason to touch this function ever.
Having said that, this should cover most cases, though is far from guaranteed to always produce the correct result:
$unquoted = stripslashes(substr($quoted, 1, -1));
Upvotes: 2
Reputation: 2169
What's wrong with something like this?
filter_var($_POST['email'], FILTER_SANITIZE_EMAIL)
Your question worries me. Please read up on PDO, bind your parameters, and rest easier at night. The road you seem to be traveling down is one of security risks, and will likely not end well.
Side note: I like to sanitize both client side and server side, and bind parameters appropriately. Maybe I'm paranoid, but an ounce of prevention is worth a pound of cures IMO.
Well since you don't seem to be interested in the right way
$email = str_replace('"','',$email);
Upvotes: 1
Related Questions
- How to remove double quotes from a string
- Remove quotes from start and end of string in PHP
- How do I remove quotes from a string?
- Removing single-quote from a string in php
- How to remove single quotes from a string, leaving only the words(Apostrophe) ? [PhP]
- Cannot remove double quotes from string PHP
- Removing double quotes from beginning and end of String
- How to keep string with quotes?
- How do I remove double quotes from string PHP?
- How do I Remove the Enclosing Single Quotes from a String?