Viewed   75 times

Can anyone tell me what is happening here?

// true
var_dump('\ ' === ' ');

// false
var_dump('\\ ' === '\ ');

// true
var_dump('\\ ' === '\ ');



inside a string literal introduces several types of escape sequences, \ is the escape sequence for a literal "". But, s that don't resolve to an escape sequence are also taken as literal "".

Therefor, '\ ' stands for the string " ", '\\ ' stands for the string "\ ", just as '\ '. Try:

echo '\\ ';   -> \ 


Thursday, December 22, 2022

$str contains a string with the content of "$var" (no variable replacement, just these very characters). It was created using single quotes, so no variable replacement there.

When echoing it using echo "$str", the variable $str gets replaced with its content, namely the string "$var", thus resulting in your output.

The string replacement in double quotes strings does not work recursively! So in order to have $str replaced by 1024 in the second appearance, you have to create $str using double quotes in the first place.

Monday, November 28, 2022

No, you should, in fact, avoid using functions like these at all cost! What you should be looking into is the use of prepared statements.
Check the doc pages of any of the mysql_* functions, and notice the red warning-thing: the extension has begun the deprecation process, instead PDO or mysqli_* is suggested.

To avoid injection, prepared statements are what you should use... read a couple of articles on the matter, and look into the advantages of both PDO and mysqli_*. That's, I'm afraid the only way forward...

Thursday, December 22, 2022

Ok I finally got it. On dreamhost, it is possible to use fastcgi and therefore declare environment variables with it. It consists of just adding this simple script

exec /home/USERNAME/YOURDOMAIN/cgi-bin/php.cgi

Which is where my compiled PHP5.3.1 was located. chmod 744 on that file called dispatch.fcgi which will be allowed more memory by dreamhost's watchdog.

After that I added to my domain's .htaccess the following:

Options +ExecCGI
AddHandler fastcgi-script fcg fcgi fpl
AddHandler php5-fastcgi .php
Action php5-fastcgi /dispatch.fcgi

now in the application's root I have another .htaccess with:


In a php script is is retrievable via getenv('REDIRECT_APPLICATION_ENVIRONMENT');

Saturday, August 6, 2022

Let me begin by saying that you should really not really store data in any particular escaped format in the database, you'll regret it later if you need to extract it in another format or search the data for some reason later. The format you're saving now looks good, and adding backslashes for Javascript is better done in code when passing the data to the actual Javascript.

Now this is why it currently behaves like it does;

In the string 'Tom's things', ' is a character escape sequence and is really only used to let MySQL understand how to parse the SQL string, it's never saved as is to the database.

The reason you escape the character ' in the SQL statement you're showing to begin with is that otherwise MySQL has no way of knowing that the string does not end at the single quote after 'Tom.

If you use MySQLi or PDO prepared statements instead of building your SQL statements yourself, MySQL will let you save values entirely unchanged without having to ever escape anything. This is definitely the preferred option, since the MySQL API that does not support prepared statements is deprecated anyway.

Wednesday, October 5, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :