How to strip slashes in Javascript (json)? Any JQuery plugin?
Solution 1
Use: http://au.php.net/manual/en/function.mysql-real-escape-string.php before storing into database.
Use a custom function like this before writing onto any user interface:
function unescape($string)
{
$search = array("\\x00", "\\n", "\\r", "\\\x1a");
$replace = array("\x00","\n", "\r", "\x1a");
$retString = str_replace($search, $replace, $string);
$search = array("\'", '\\'.'"');
$replace = array( "'", '"',);
$retString = str_replace($search, $replace, $retString);
$search = array("\\\\");
$replace = array( "\\");
$retString = str_replace($search, $replace, $retString);
return $retString
}
Solution 2
It's actually highly discouraged to use this "magic quotes" feature that inserts slashes. In general, you never want to store data in the database in an escaped format; you want to do the escaping and encoding in the output.
Solution 3
I would take care of the main problem - magic_quotes
is enabled.
I would disable it and use proper escaping methods with your database.
Then you don't have to worry about PHP magically adding slashes.
If you are talking about slashes when using json_encode()
, it does that for a reason.
Use a JSON parser in JavaScript and you won't see them (unless something else is improperly encoding them).
Solution 4
Try this too
function stripslashes (str) {
return (str + '').replace(/\\(.?)/g, function (s, n1) {
switch (n1) {
case '\\':
return '\\';
case '0':
return '\u0000';
case '':
return '';
default:
return n1;
}
});
}
Solution 5
murvinlai
Updated on July 09, 2022Comments
-
murvinlai almost 2 years
So, when I save the data into database, PHP will add a \ on single or double quotes. That is good.
However, when data is passed back to the client using json_encode(); TEXT like McDonald's is STORED as McDonald's in the DB but once passed back from PHP to js, it will be encoded as McDonald\'s
Since I'm using jQuery, is there any plugin to easily do that? or any function I should use to strip the slashes correctly? obviously, if there is case like
\\\\s
, the function should return\s
. :)Sorry guys. I think I made my question too complicated. How about I make it simpler..
If I have a javascript variable:
var abc = "McDonald\'s"; var bcd = "I need a slash \\ "; var cde = "save the double quote \"";
how can I strip the \' ? what the regex I should use?
-
Andrew over 13 yearsI'm a little worried about a lot of the answers here. My PHP security knowledge is somewhat dated, so I'm not really qualified to give a good answer here, but it is vitally important that if you do turn off magic quotes, you replace it with a better escaping system. Your goals should be to prevent both SQL injection and cross-site scripting attacks. I normally would use
mysql_real_escape_string($user_input)
going into the DB andhtmlentities($db_output)
going out to the client -- but this may not be considered 100% safe any more. Hopefully someone can give better advice. -
Deva over 13 yearsWhat are you using in your JS to parse the JSON? Whatever you use whould de-escape everything, if it's generated properly (which
json_encode
will do). -
user3167101 over 13 years@Andrew That advice is still sound, though generally you want to encode to a view with
htmlspecialchars()
. It is sufficient. -
Andrew over 13 yearsHi @alex. This is a can of worms I'm not qualified to open, but my preference in the past was to go with
htmlentities()
because it is significantly more destructive to user input, without having any visible impact on the rendered page (as long as you match the page encoding). When I did some studying of hacking methods three years ago, I was appalled at the variety of unicode characters available to a determined hacker -- and I still don't understand how many of these techniques worked. And I'm still not 100% surehtmlentities()
is safe, but I know it's safer thanhtmlspecialchars()
. -
user3167101 over 13 years@Andrew Well
htmlspecialchars()
targets just the characters generally used for XSS. I think usinghtmlentities()
will do the same, but just bloat the page using&#xx;
style encoding for exotic characters, and most encoded stuff can be achieved by using UTF-8 as the character set. -
murvinlai over 13 yearsThanks. it is helpful too. :)
-
-
murvinlai over 13 yearsActually, I just check the DB, the magic quote is off. It will store McDonald's in DB. HOWEVER, the data generated from json_encode will attach the \'. That has to like that when getting back to JSON. BUT how can I remove the strip in JS?
-
murvinlai over 13 yearsI read that already. but it is so messy that other people's comment provide different things and saying it doesn't work in IE...
-
Deva over 13 yearsThat's not quite correct; you want to escape data where it leaves the application in a way appropriate to where it's going. That is, you escape it for SQL generation in a way that doesn't store it escaped.
-
Domenic over 13 years@seatoskyhk, as @alex explains in his answer, use a JSON parser in JavaScript.
-
murvinlai over 13 yearsFor the JSON part, that exactly I need to figure out.. I don't want to have \' when I extract the data.
-
murvinlai over 13 yearsThat one doesn't work. .return error... unmatched ) in regular expression
-
murvinlai over 13 yearsBetter than mine.. lol i have a new function that have \\\\\\\\\\\\\\\\