CODEWITHSUNDEEP
phpmysqlarrays
Gopal
Gopal

Reputation: 93

escape special character from string in php

we are trying to escape some special character from our string please tell me the function that we have to use e.g. HTC Desire 210 – White
In this example we escape -(hyphen) special character. In above example we have lot of product name with different different special character that we escape it. thanks for your co-operation.

Upvotes: 3

Views: 65999

Answers (7)

Syamlal
Syamlal

Reputation: 901

You can use addcslashes().

Returns a string with backslashes before characters that are given in second parameter

<?php
echo addcslashes("union [", '+,-,[,]');
// output: union \[
?>

Upvotes: 1

Haritsinh Gohil
Haritsinh Gohil

Reputation: 6272

If you want to use the string for database's SQL operation then You can escape special characters in mysqli using function mysqli_real_escape_string().

Syntax:

mysqli_real_escape_string(connection,escapestring);

Example:

<?php
$con=mysqli_connect("localhost","my_user","my_password","my_db");

// Check connection
if (mysqli_connect_errno()) {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

// escape variables for security
$your_string = 'string "hi" ';
$escaped_string = mysqli_real_escape_string($con, $your_string);
$sql = 'select * from tablename where fields like "%'.$escaped_string. '%" ';
$result = $conn->query($sql);

//here you can iterate over result array for displaying result

?>

you can use addslashes() to escape the string, which Returns a string with backslashes added before characters like:

  • single quote (')
  • double quote (")
  • backslash (\)
  • NUL (the NUL byte)

But addslashes() has some vulnerabilities to sql injections for detail see the answer of this question Examples of SQL Injections through addslashes(), so better to use mysqli_real_escape_string() function if you are doing database operations.

Or if you want to escape characters for regular expressions then you can use preg_quote ( string $str [, string $delimiter = NULL ] ), which puts a backslash in front of every character that is part of the regular expression syntax. regular expression characters are: . \ + * ? [ ^ ] $ ( ) { } = ! < > | : -

Note: But be careful preg_quote() will not escape single(') or double quote(").

Upvotes: 0

Nana Partykar
Nana Partykar

Reputation: 10548

Pass string in this function.

function clean($string){
   $string = str_replace(' ', '-', $string); // Replaces spaces with hyphens.
   return preg_replace('/[^A-Za-z0-9\-]/', '', $string); // Removes special chars.
}

For more info, check this Remove Special Character - Stackoverflow

Upvotes: 6

CSSBurner
CSSBurner

Reputation: 1991

If you need to escape characters that would break a regex / PCRE function (e.g., preg_match()) if not escaped, you can use preg_quote()

For example, let's say your needle and haystack are:

$needle   = "needle(";
$haystack = "ibivfdubdvwbneedle(cihbdhcbds";

The following preg_match() will throw a warning:

var_dump(preg_match("/" . $needle . "/", $haystack)); -----> WARNING preg_match(): Compilation failed: missing ) at offset 7 on line number 9 bool(false)

because a left parenthesis is a character used in regular expression syntax. However, if you use preg_quote() on the needle, the left parenthesis will be escaped and the regex check will execute:

var_dump(preg_match("/" . preg_quote($needle) . "/", $haystack)); ----> int(1)

More discussion about preg_quote() here.

Upvotes: 2

Navnish Bhardwaj
Navnish Bhardwaj

Reputation: 1718

The mysqli_real_escape_string() function escapes special characters in a string for use in an SQL statement.

Syntax:

mysqli_real_escape_string(connection,escapestring);

Example Escape special characters in a string:

<?php
$con=mysqli_connect("localhost","my_user","my_password","my_db");

// Check connection
if (mysqli_connect_errno()) {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

// escape variables for security
$firstname = mysqli_real_escape_string($con, $_POST['firstname']);
$lastname = mysqli_real_escape_string($con, $_POST['lastname']);
$age = mysqli_real_escape_string($con, $_POST['age']);

$sql="INSERT INTO Persons (FirstName, LastName, Age)
VALUES ('$firstname', '$lastname', '$age')";

if (!mysqli_query($con,$sql)) {
  die('Error: ' . mysqli_error($con));
}
echo "1 record added";

mysqli_close($con);
?>

connection Required. Specifies the MySQL connection to use

escapestring Required. The string to be escaped. Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z.

Upvotes: 4

Krish
Krish

Reputation: 5917

use the system function $city = $mysqli->real_escape_string($city);

here : http://php.net/manual/en/mysqli.real-escape-string.php

Upvotes: 0

chandresh_cool
chandresh_cool

Reputation: 11830

You can use str_replace, for example ;

str_replace(array(':', '-', '/', '*'), '', $string);

Upvotes: 2

Related Questions