Why does php insert backslash while replacing double quotes

Question

I\'m wondering why php adds a backslash when i remove double quotes.

Answer 1

User input gets escaped by magic quotes.

http://www.php.net/manual/en/function.get-magic-quotes-gpc.php

Elegant weapons for a more... civilized age.

Answer 2

It doesn't add them when you remove the slash, it automatically escapes them in the query string parameters when the magic_quotes_gpc directive is enabled (and it is, by default pre 5.30). It did this as a security precaution, so that the data could be safely used in a database query. You can disabled them by changing the setting in your php.ini file, see http://www.php.net/manual/en/security.magicquotes.disabling.php.

You can also use stripslashes to remove them:

$number = str_replace(array('"', "'"), '', stripslashes($number));

An example use of stripslashes() is when the PHP directive magic_quotes_gpc is on (it's on by default), and you aren't inserting this data into a place (such as a database) that requires escaping. For example, if you're simply outputting data straight from an HTML form.

Answer 3

See http://php.net/manual/en/security.magicquotes.php

Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed.

When on, all ' (single-quote), " (double quote), \ (backslash) and NULL characters are escaped with a backslash automatically.

In short, magic quotes is a feature in PHP where quote characters are automatically escaped with the \ character.

Here are some solutions for turning off magic quotes: http://www.php.net/manual/en/security.magicquotes.disabling.php

Answer 4

You possible have bad magic quotes turned on. If that's the case, you should simply disable them from php.ini.