This has been driving be crazy, but I can’t seem to find an answer. We run a technical knowledge base that will sometimes include Windows samba paths for mapping to network drives.
For example: \\servername\sharename
When we include paths that have two backslashes followed by each other, they are not escaped properly when running ‘addslashes’. My expected results would be “\\\\servername\\sharename“, however it returns “\\servername\\sharename“. Obviously, when running ‘stripslashes’ later on, the double backslash prefix is only a single slash. I’ve also tried using a str_replace("\\", "\", $variable); however it returns "\servername\sharename" when I would expect "\\servername\sharename".
So with addslashes, it ignores the first set of double-backslashes and with str_replace it changes the double-backslashes into a single, encoded backslash.
We need to run addslashes and stripslashes for database insertion; using pg_escape_string won’t work in our specific case.
This is running on PHP 5.3.1 on Apache.
EDIT: Example Code
$variable = 'In the box labeled Folder type: \\servername\sharename';
echo addslashes($variable);
This returns: In the box labeled Folder type: \\servername\\sharename
EDIT: Example Code #2
$variable = 'In the box labeled Folder type: \\servername\sharename';
echo str_replace('\\', '\', $variable);
This returns: In the box labeled Folder type: \servername\sharename
I’d also like to state that using a single quotes or double-quotes does not give me different results (as you would expect). Using either or both give me the same exact results.
Does anyone have any suggestions on what I can possibly do?
I’ve determined, with more testing, that it indeed is with how PHP is handling hard-coded strings. Since hard-coded strings are not what I’m interested in (I was just using them for testing/this example), I created a form with a single text box and a submit button.
addslasheswould correctly escape the POST’ed data this way.Doing even more research, I determined that the issue I was experiencing was with how PostgreSQL accepts escaped data. Upon inserting data into a PostgreSQL database, it will remove any escape characters it is given when it actually places the data in the table. Therefore,
stripslashesis not required to remove escape characters when pulling the data back out.This problem stemmed from code migration from PHP 4.1 (with Magic Quotes on) to PHP 5.3 (with Magic Quotes deprecated). In the existing system (PHP4), I don’t think we were aware that Magic Quotes were on. Therefore, all POST data was being escaped already and then we were escaping that data again with
addslashesbefore inserting. When it got inserted into PostgreSQL, it would strip one set of slashes and leave the other, therefore requiring us tostripslasheson the way out. Now, with Magic Quotes off, we escape withaddslashesbut are not required to usestripslasheson the way out.It was very hard to organize and determine exactly where the problem lay, so I know this answer is a little off to my original question. I do, however, thank everyone who contributed. Having other people sound off on their ideas always helps to make you think on avenues you may not have on your own.