0
$val = "I'm string";

For this type of string I am using the addslashes function, which convert string into like this:

"I\'m string"

and store into the database. When I get all data from database in array of fields and passed array in 

json_encode($arr);

In response I get the string with a extra slash like this:

"I\\'m string"

And I wanted to remove that extra slash which is added by json_encode. how I do that??

Chaitanya Desai
  • 333
  • 3
  • 17
  • 2
    You shouldn't be using addslashes with databases. Use prepared statements. It looks like you're actually adding a literal slash to your string instead of escaping the apostrophe. – Devon Bessemer Jul 03 '18 at 13:02
  • 1
    Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's and this problem dissappears and you dont need **strip** or **add** slashes anywhere – RiggsFolly Jul 03 '18 at 13:04
  • you all mean to say that I used the prepared statement then no need to used addslashes function – Chaitanya Desai Jul 03 '18 at 13:07
  • 1
    If you use prepared statement correctly, you don't need addslashes – Adder Jul 03 '18 at 13:07
  • prepared statement handle the "I'm" string??? – Chaitanya Desai Jul 03 '18 at 13:08
  • 1
    Yes, without you having to do ANYTHING special at all – RiggsFolly Jul 03 '18 at 13:09
  • 2
    This questions attracts lots of answers which are downvoted. This would not happen if you had shown your code for writing to the database – Adder Jul 03 '18 at 13:10
  • here https://www.w3schools.com/php/showphp.asp?filename=demo_func_string_addslashes2 it say that it is bad for database queries – Chaitanya Desai Jul 03 '18 at 13:11
  • w3schools also used (maybe still) to promote sql injection vulnerable php. There's 4 people here saying you should just use a prepared statement to fix both the root and the symptoms of your problem. Now the answers have a lot of downvotes while they're technically all correct. – Loek Jul 03 '18 at 13:14
  • I am not the one who give them downvotes – Chaitanya Desai Jul 03 '18 at 13:15
  • That's not the point? The point is that there's 4 correct answers. – Loek Jul 03 '18 at 13:16

3 Answers3

2

You can use stripslashes.

However, you should use prepared statements. That way you don't need to worry about escaping your values.

Script47
  • 14,230
  • 4
  • 45
  • 66
2

If you really want an answer to this question you can reverse your addslashes with stripslashes.

But never use addslashes function to escape values you are going to send to mysql.

Use native prepared statements, mysqli_real_escape_string() or PDO::quote.

BUT NOTE:

  1. Don't use a vulnerable character set for connection encoding (use utf8 or something)
  2. Use a higher version of MySQL than 5.7.6.

Read more about character set issues here: http://php.net/manual/en/mysqlinfo.concepts.charset.php

Timmetje
  • 7,641
  • 18
  • 36
  • 2
    Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) – RiggsFolly Jul 03 '18 at 13:10
  • Changed my answer to add to the encoding issues. – Timmetje Jul 03 '18 at 13:14
  • It is safe enough if you are using quotes around the variables. – Adder Jul 03 '18 at 13:15
  • @RiggsFolly The bug `NO_BACKSLASH_ESCAPES` was already fixed in 5.7.6. And both functions are safe. But you were right it should mention you need a higher version than 5.7.6. The character issues are documented in PHP docs. – Timmetje Jul 03 '18 at 13:18
-2

It might even be possible with this (though I thought it was forward slash / only:

json_encode($array, JSON_UNESCAPED_SLASHES);

But heed to the comments and Script47's answer and just fix it properly.

Loek
  • 4,037
  • 19
  • 35
  • Woah nice, those downvotes. Would love some feedback on my answer since you all think it's clearly wrong? Prepared statements **will** fix OP's problem. – Loek Jul 03 '18 at 13:08