PHP Addslashes adding double backslashes when escaping a single quote

Question

Addslashes seems to be a bit confused. Given the following 2 lines of code

$name = "Dave's test";
$newName = addslashes($name);

I am expecting $newName to be "Dave\'s test" (my one single quote nicely escaped)

However, what I'm getting is "Dave\\'s test" (note the DOUBLE backslashes). This contradicts every bit of online documentation I can find on addslashes - and causing me a lot of grief.

I am dumping the before and after addslashes results to the http error log via error_log...

error_log("before=$name  after=$newName");

results...

before=Dave's test  after=Dave\\'s test

Note - this is part of an ajax process, so I can't really 'echo' the results.

Any insights into why addslashes would be double up on the backslases are much appreciated.

FYI: I'm Using PHP 5.2.6 under linux with magic quotes OFF.

Answer 1

My guess is that the error_log() functionality is escaping the backslash itself with another backslash.

The string that would then represent would technically only have 1 backslash in it, which is the desired result.

Try this as a simple test:

error_log('\a')

and see if you get \\a in the log

Answer 2

For starters, why are you escaping with addslashes()? It's an insufficient method at best, especially if you're trying to guard against SQL injection.

What else can you tell us about your configuration so we can try and replicate?

Answer 3

Unable to replicate on 5.2.6 or 5.2.0 installs.

Are you seeing the double backslash if you echo $newName immediately after the operations you wrote? I ask because I suspect the intervention of some other processing layer that is doubling the backslash, not addslashes().

Answer 4

Note - this is part of an ajax process, so I can't really 'echo' the results.

I think that may be the key to the problem - I would think that the addslashes is probably correctly adding a single backslashes to that quote, but that somehow your AJAX process is escaping it again. Are you passing this text via JSON (using json_encode)? If so, you don't need to escape it, as json_encode() will do that transparently.

If you can't 'echo' the result, perhaps write it to a file?

$name = "Dave's test";
$newName = addslashes($name);
file_put_contents('/tmp/test.txt', $newName); // temporary

This could at least let you prove to yourself that your addslashes() is doing what it is supposed to.

Answer 5

Looks like error_log is calling addslashes internally. After reading the questions posted in reponse to my original question, I created a very trivial script...

<?php
        $name = "Dave's test";
        $newName = addslashes($name);
        echo    "name=$name.   newName=$newName";
        error_log("name=$name.   newName=$newName");
?>

Result from the echo:

name=Dave's test. newName=Dave\'s test

Result from the error_log:

name=Dave's test.   newName=Dave\\'s test

Many thanks to all who took the time to read and comment on this question. This was my first question on Stack Overflow and I was just blown away by the speed of the responses. What a great community!