I'm wondering why php adds a backslash when i remove double quotes.

<input type="text" name="number" id="number" />
<input type="button" name="button" id="button" value="Button" />

Say they user enters the value 5-1/2" and i'm passing it to a processing page via jquery's .get method.

$('#button').click(function(){

    $.get('determine.php?number='+$('#number').val(),function(data){
     $('#response').html(data);
    });

});

Here is my processing page.

determine.php

$number = $_GET['number'];

$number = str_replace(array('"', "'"), '', $number);

echo $number;

//echos 5-1/2\

Why is the backslash there?

I'm wondering why php adds a backslash when i remove double quotes.

<input type="text" name="number" id="number" />
<input type="button" name="button" id="button" value="Button" />

Say they user enters the value 5-1/2" and i'm passing it to a processing page via jquery's .get method.

$('#button').click(function(){

    $.get('determine.php?number='+$('#number').val(),function(data){
     $('#response').html(data);
    });

});

Here is my processing page.

determine.php

$number = $_GET['number'];

$number = str_replace(array('"', "'"), '', $number);

echo $number;

//echos 5-1/2\

Why is the backslash there?

• php
• javascript
• jquery

Share Improve this question Follow asked Oct 25, 2010 at 17:57 polyhedronpolyhedron 1,59044 gold badges1919 silver badges2727 bronze badges 1

• I think this is the same issue as: stackoverflow./questions/2448332/… – Richard Marskell - Drackir Commented Oct 25, 2010 at 18:00

Add a ment  | 

4 Answers 4

Sorted by: Reset to default 8

It doesn't add them when you remove the slash, it automatically escapes them in the query string parameters when the magic_quotes_gpc directive is enabled (and it is, by default pre 5.30). It did this as a security precaution, so that the data could be safely used in a database query. You can disabled them by changing the setting in your php.ini file, see http://www.php/manual/en/security.magicquotes.disabling.php.

You can also use stripslashes to remove them:

$number = str_replace(array('"', "'"), '', stripslashes($number));

An example use of stripslashes() is when the PHP directive magic_quotes_gpc is on (it's on by default), and you aren't inserting this data into a place (such as a database) that requires escaping. For example, if you're simply outputting data straight from an HTML form.

User input gets escaped by magic quotes.

http://www.php/manual/en/function.get-magic-quotes-gpc.php

Elegant weapons for a more... civilized age.

You possible have bad magic quotes turned on. If that's the case, you should simply disable them from php.ini.

See http://php/manual/en/security.magicquotes.php

Magic Quotes is a process that automagically escapes ining data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.

When on, all ' (single-quote), " (double quote), \ (backslash) and NULL characters are escaped with a backslash automatically.

In short, magic quotes is a feature in PHP where quote characters are automatically escaped with the \ character.

Here are some solutions for turning off magic quotes: http://www.php/manual/en/security.magicquotes.disabling.php