PHP and Escaping Characters

Escaping in PHP doesn't mean breaking free and "doing a runner". It is a technique to prevent PHP from ending your strings too early, or for making sure you have the correct string information returned. Here's an example. Try this script:

<?PHP
$string = 'John's Car';
print $string;
?>

Make sure you type the script exactly as it is, with all the single quote marks. Now run the script.

What you should find is that PHP gives you an error message. The reason is that you have three single quote marks. PHP gets confused, because it doesn't know what your string is. To solve the problem, you could use double quotes on the outside. Like this:

$string = "John's Car";

Or you could escape the apostrophe. You escape a character by typing a "slash" before it. 
Like this:

$string = 'John\'s Car';

If you try that out, you should find that the string prints correctly.

Now try this script:

<?PHP
$astring = 'mypath\';
print $astring;
?>

Again, you'll get an error from PHP. Surround it with double quotes instead of single quotes and run the script again. Does the string print?

The reason it doesn't is because you haven't escaped the slash. PHP sees it as a special character, and is expecting more details after the slash. But we want a slash in the string. To escape it, use another slash. Like this:

$astring = 'mypath\\';

So now we have two slashes on the end of the string. When you run the script, you should find that it prints out this:

mypath\

If your PHP script is not returning the characters it should do, then you may need to use the slash to escape them.

You also need to escape certain characters when working with databases, otherwise, you're opening yourself up to attack! You'll hear more on this topic when we get to that section.