php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #44956 stripslashes() removes slashes not added by addslashes()
Submitted: 2008-05-09 15:43 UTC Modified: 2008-08-14 10:33 UTC
Votes:3
Avg. Score:3.7 ± 0.9
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:2 (66.7%)
From: webmaster at drk dot com dot ar Assigned:
Status: Closed Package: Documentation problem
PHP Version: 5.2.6 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2008-05-09 15:43 UTC] webmaster at drk dot com dot ar 
Description:
------------
stripslashes() removes slashes not added by addslashes()

I expect a function to do what is described in the first line of its documentation. As published in this site "un-quotes strings quoted with addslashes()"

It is water clear this functions isn't working as expected. As it shouldn't remove any slash that addslashes() wouldn't add. In example, a slash before a space won't be added by addslashes() and mustn't be removed by stripslashes()

You can refuse to correct the code. In that case, which I consider most useless, you ought to correct the documentation.

I ask myself won't be useful a function which undoes what addslashes() does?

Reproduce code:
---------------
<?
$str = "the first \ should stay. it\'s the  \"right\" case";
$str = stripslashes($str);
var_dump($str);
?>

Expected result:
----------------
"the first \ should stay. it's the  "right" case"

Actual result:
--------------
"the first  should stay. it's the  "right" case"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-05-09 15:56 UTC] c dot onogol at gmail dot com 
I agree.
The documentation makes you think it's the exact opposite of 
addslashes(), both in the function description and its return values 
(which happen to be explicitly listed, and there's no mention of 
removing single slashes that are not escaping anything).


There's no string that produces "this \ that" after a call to 
addslashes().


addslashes("this that") would never output "this \ that"...

The doc says clearly "Un-quotes a quoted string", it's clear its 
purpose is to run it on strings to be inserted in a DB, why would it 
remove single slashes?
 [2008-05-09 16:43 UTC] c dot onogol at gmail dot com 
I realized my previous comment needs some clarification.

The function does work when you do:

assert($a == stripslashes(addslashes($a)))

This function breaks strings when not used in conjunction with 
addslashes(). By simply skipping single backslashes you can make this 
function safe to use in all cases.

Wouldn't it be an enhancement if you made it so single slashes are 
simply skipped, since most likely they have not been used with 
addslashes()?
 [2008-08-04 20:23 UTC] michael at chunkycow dot com dot au 
Seems obvious to me that it removes slashes, if you want to keep your slashes then use addslashes which will double slash your slashes (sounds quite voilent huh :P).
If your using this for a database string then use mysql_real_escape_string for mysql etc, addslashes should not be used for database escaping.
 [2008-08-14 10:33 UTC] kalle@php.net 
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

This was just a typo in the documentation, stripslashes() aren't meant to only work on results by addslashes().
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jul 17 14:04:04 2025 UTC