What Does It Mean to Escape a String

What does it mean to escape a string?

Escaping a string means to reduce ambiguity in quotes (and other characters) used in that string. For instance, when you're defining a string, you typically surround it in either double quotes or single quotes:

"Hello World."

But what if my string had double quotes within it?

"Hello "World.""

Now I have ambiguity - the interpreter doesn't know where my string ends. If I want to keep my double quotes, I have a couple options. I could use single quotes around my string:

'Hello "World."'

Or I can escape my quotes:

"Hello \"World.\""

Any quote that is preceded by a slash is escaped, and understood to be part of the value of the string.

When it comes to queries, MySQL has certain keywords it watches for that we cannot use in our queries without causing some confusion. Suppose we had a table of values where a column was named "Select", and we wanted to select that:

SELECT select FROM myTable

We've now introduced some ambiguity into our query. Within our query, we can reduce that ambiguity by using back-ticks:

SELECT `select` FROM myTable

This removes the confusion we've introduced by using poor judgment in selecting field names.

A lot of this can be handled for you by simply passing your values through mysql_real_escape_string(). In the example below you can see that we're passing user-submitted data through this function to ensure it won't cause any problems for our query:

// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));

Other methods exist for escaping strings, such as add_slashes, addcslashes, quotemeta, and more, though you'll find that when the goal is to run a safe query, by and large developers prefer mysql_real_escape_string or pg_escape_string (in the context of PostgreSQL.

What does `escape a string` mean in Regex? (Javascript)

Many characters in regular expressions have special meanings. For instance, the dot character '.' means "any one character". There are a great deal of these specially-defined characters, and sometimes, you want to search for one, not use its special meaning.

See this example to search for any filename that contains a '.':

/^[^.]+\..+/

In the example, there are 3 dots, but our description says that we're only looking for one. Let's break it down by the dots:

  • Dot #1 is used inside a "character class" (the characters inside the square brackets), which tells the regex engine to search for "any one character" that is not a '.', and the "+" says to keep going until there are no more characters or the next character is the '.' that we're looking for.
  • Dot #2 is preceded by a backslash, which says that we're looking for a literal '.' in the string (without the backslash, it would be using its special meaning, which is looking for "any one character"). This dot is said to be "escaped", because it's special meaning is not being used in this context - the backslash immediately before it made that happen.
  • Dot #3 is simply looking for "any one character" again, and the '+' following it says to keep doing that until it runs out of characters.

So, the backslash is used to "escape" the character immediately following it; as such, it's called the "escape character". That just means that the character's special meaning is taken away in that one place.

Now, escaping a string (in regex terms) means finding all of the characters with special meaning and putting a backslash in front of them, including in front of other backslash characters. When you've done this one time on the string, you have officially "escaped the string".

What are all the escape characters?

You can find the full list here.

  • \t Insert a tab in the text at this point.
  • \b Insert a backspace in the text at this point.
  • \n Insert a newline in the text at this point.
  • \r Insert a carriage return in the text at this point.
  • \f Insert a formfeed in the text at this point.
  • \s Insert a space in the text at this point.
  • \' Insert a single quote character in the text at this point.
  • \" Insert a double quote character in the text at this point.
  • \\ Insert a backslash character in the text at this point.

MySQL: What does means escape '!' on query

The ESCAPE keyword is used to escape pattern matching characters such as the (%) percentage and underscore (_) if they form part of the data.

Let's suppose that we want to check for the string "67%" we can use;

LIKE '67#%%' ESCAPE '#';

If we want to search for the movie "67% Guilty", we can use the script shown below to do that.

SELECT * FROM movies WHERE title LIKE '67#%%' ESCAPE '#';

Note the double "%%" in the LIKE clause, the first one in red "%" is treated as part of the string to be searched for. The other one is used to match any number of characters that follow.

The same query will also work if we use something like

SELECT * FROM movies WHERE title LIKE '67=%%' ESCAPE '=';

How do I escape a string in Java?

You should use the StringEscapeUtils class from Apache Commons Text (you can also find the class in Apache Commons Lang3 but that one is deprecated). You'll find that there are plenty of other offerings in Apache Commons that might serve useful for other problems you have in Java development, so that you don't reinvent the wheel.

The specific call you want has to do with "Java escaping"; the API call is StringEscapeUtils.escapeJava(). For example:

System.out.println(StringEscapeUtils.escapeJava("Hello\r\n\tW\"o\"rld\n"));

would print out:

Hello\r\n\tW\"o\"rld\n

There are plenty of other escaping utilities in that library as well. You can find Apache Commons Text in Maven Central and you'd add it to your Maven project like this:

<dependency>
    <groupId>org.apache.commons</groupId>
    <artifactId>commons-text</artifactId>
    <version>1.3</version>
</dependency>

and in case you are using Gradle:

compile "org.apache.commons:commons-text:1.3"

Do I need to escape every string and what is the maximum length of an escaped string?

Don't escape. Use bind parameters instead.

That aside, the size that counts is the unescaped value. Escaping is only to make it safe for the parser to read the string. The actual string value is still the same size (and will be handled in unescaped form by the MySQL engine). Escaping is just a way to safely embed a value in the query.

How to write escape character to string?

In a normal string, you use \\

If this is in a regular expression, it needs to be \\\\

The reason RegEx needs four is because both the String parser and RegEx engine support escapes. Therefore, \\\\ is parsed to \\ by the String parser then to a literal \ by the RegEx parser.

What's the purpose of the \' escape sequence?

You need it if you want a character literal:

char apos = '\'';

Related Topics

How to Increase the Execution Timeout in PHP

Storing Files in Database VS File System

How to Use Xmlreader in PHP

Getting Dom Elements by Classname

How to Minify PHP Page HTML Output

Split String by New Line Characters

Get All Permutations of a PHP Array

Warning: MySQLi_Select_Db() Expects Exactly 2 Parameters, 1 Given

Upgrading My Encryption Library from Mcrypt to Openssl

"Invalid Parameter Number: Parameter Was Not Defined" Inserting Data

MySQLi_Real_Escape_String() Expects Exactly 2 Parameters, 1 Given

Performance of For VS Foreach in PHP

How to Remove "Public/Index.PHP" in the Url Generated Laravel

Performance of Foreach, Array_Map With Lambda and Array_Map With Static Function

How to Send a Get Request from PHP

What's the Best Way to Get the Last Element of an Array Without Deleting It

Get Name of Caller Function in PHP

PHP & Case Sensitivity


Leave a reply



Submit