PHP Escape Characters: How to Escape Special Characters

Escape characters appeared in PHP because some symbols in strings serve special purposes. For example, a quote can end a string, or a backslash can signal another command.

PHP can read them incorrectly or cause an error if you do not mark these symbols as plain text.

In this article, you will learn how escape characters work in PHP through examples and other related topics.

Understand Escape Characters in PHP

Escape characters are special symbols in programming that help handle data. They represent characters that are hard to type or have special functions. They instruct the system to handle the next character differently from its normal role.

Examples:

• \n means a new line.
• \t means a tab space.
• \\ means a backslash itself.
• \" means a double quote inside a string.

Escape characters let you add the following inside text:

• quotes
• new lines
• tabs

This prevents errors or confusion.

You use escape characters in strings when you need to include special characters that would otherwise cause problems or be interpreted differently.

For example:

• When you want to add a new line inside a string, use \n.
• When you want to add a tab space, use \t.
• When you want to include a quote mark inside a string that uses the same quote type, use \" or \' to avoid ending the string early.
• When you want to include a backslash itself, use \\ because a single backslash starts an escape sequence.

Escape characters prevent errors when the string contains special symbols.

In the following part, you will learn some common escape characters and how they work.

Common Escape Sequences in PHP (\n, \t, “, )

Escape sequences in PHP let you include special characters inside strings. Here are some common ones:

• \n creates a new line. It moves the text that follows to the next line.
• \t adds a tab space. It adds horizontal space. Such as when it presses the tab key.
• \" inserts a double quote inside a string wrapped by double quotes, so PHP does not end the string early.
• \\ adds a backslash character itself.

This code shows how they work:

echo "Hello\nWorld";  
echo "Column1\tColumn2";  
echo "He said, \"Hello\"";  
echo "This is a backslash: \\";  

Output:

Hello
WorldColumn1	Column2He said, "Hello"This is a backslash: \

It uses escape characters to add effects to strings.

Let’s move on to the following section to learn how escape sequences differ between single-quoted and double-quoted strings in PHP.

Single and Double Quotes in PHP

Escape sequences in PHP work differently in single-quoted strings compared to double-quoted strings.

Many escape sequences work for double quotes as we mentioned in the previous sections. But in single-quoted strings, only two escape sequences work:

• \\ for a backslash.
• \' for a single quote.

Other sequences like \n or \t will appear as plain text and not create a new line or tab.

Here is an example:

echo "Line1\nLine2";  
echo 'Line1\nLine2';   

echo "She said, \"Hello\"";   
echo 'She said, \'Hello\'';  

Output:

Line1
Line2Line1\nLine2She said, "Hello"She said, 'Hello'

Escape Special Characters in HTML and SQL

Escape special characters to prevent errors and security issues in HTML and SQL.

In HTML:

Some characters have special meanings. Escape them to show content correctly. For examples:

• < becomes <
• > becomes >
• & becomes &
• " becomes "
• ' becomes '

This doesn’t allow the browser to read them as code. It also helps avoid broken pages and cross-site scripting (XSS) attacks.

In SQL:

Special characters in SQL strings such as quotes. You should use escape characters to prevent query errors. That blocks SQL injection.

• A single quote ' inside a string is escaped when double it: ''
• Functions like mysqli_real_escape_string() or prepared statements handle this automatically.

Here is a simple example in SQL:

SELECT * FROM users WHERE name = 'O''Reilly';

The '' represents a single quote inside the string.

You have to escape special characters to protect data and keep SQL queries error-free.

Use of addslashes() and stripslashes()

The addslashes() and stripslashes() escape and remove escape characters in strings.

• addslashes() adds backslashes before special characters such as:
  • single quotes (')
  • double quotes (")
  • backslashes (\)
  • NULL characters.
• stripslashes() removes those backslashes added by addslashes(). You use it when you want to clean a string that has been escaped before, usually when you retrieve data.

This helps prepare strings for use in places like SQL queries, where these characters might cause problems.

Here is a simple example:

$text = "O'Reilly";
$escaped = addslashes($text);   
echo $escaped;

$clean = stripslashes($escaped);   
echo $clean;

Output:

O\'ReillyO'Reilly

The addslashes() helps avoid errors when inserting text into databases or other places where quotes can cause issues. stripslashes() reverses that process when you want the original text back.

Escape Output with htmlspecialchars() and htmlentities()

The htmlspecialchars() and htmlentities() help escape special characters before sending the text to a web page. This prevents HTML code or scripts from running, which protects your site from attacks like cross-site scripting (XSS).

• htmlspecialchars() converts a few special characters to HTML entities. It changes:
  • < to <
  • > to >
  • & to &
  • " to "
  • ' to ' (if you set the right flag)
• htmlentities() converts all applicable characters to HTML entities, including accents and symbols.

Here is an example:

$text = '<a href="test">Click</a>';

echo htmlspecialchars($text); 

echo htmlentities($text); 

Output:

<a href="test">Click</a><a href="test">Click</a>

Use these functions when you display user input or any text that might contain HTML to keep the page safe.

Escape Quotes Inside PHP Strings

When you need to include quotes inside PHP strings, you have to escape them so PHP knows they are part of the text, not the end of the string.

• For double-quoted strings, escape double quotes with a backslash: \"
• For single-quoted strings, escape single quotes with a backslash: \'

Here are some examples:

echo "She said, \"Hello\"";    
echo 'It\'s a sunny day'; 

Output:

She said, "Hello"It's a sunny day

If you do not escape the quotes, PHP will think the string ends early, causing errors.

Alternatively, you can use the other type of quote to avoid escaping:

echo 'She said, "Hello"';   
echo "It's a good day";      

Output:

She said, "Hello"It's a good day

Prevent Code Injection with Proper Escaping

Stop harmful code when it runs when users enter data into your application to prevent code injection. Proper escape sequences help block such attacks.

Here is how the escape helps prevent code injection:

• In SQL: It escapes special characters in user input and avoids breaking the query or adding malicious commands. Using prepared statements with bound parameters works best, but escaping helps if you do not use prepared statements.
• In HTML: It escapes special characters and prevents users from injecting scripts or HTML tags that run unwanted code in browsers. Functions like htmlspecialchars() protect against this.
• Convert special characters into safe versions to output data to JavaScript or other languages. This step helps stop injection attacks.

Escaping alone is not always enough. You should also:

• Validate and sanitize all user input.
• Use prepared statements for database queries.
• Use secure coding practices everywhere.

PHP Escape Character Examples

Move the text to the next line:

echo "Hello\nWorld";  

Output:

Hello
World

Adds a horizontal tab space:

echo "Name:\tJohn";

Output:

Name:	John

Allows double quotes inside double-quoted strings:

echo "She said, \"Hi\"";

Output:

She said, "Hi"

Allows single quotes inside single-quoted strings:

echo 'It\'s fine';

Output:

It's fine

Prints a backslash character:

echo "This is a backslash: \\";  

Output:

This is a backslash: \

Wrapping Up

You learned how escape characters work in PHP with examples. Here is a quick recap:

• Escape characters tell PHP to treat certain symbols as plain text, so you can use quotes or backslashes without errors.
• Some common escape sequences are \n for a new line and \t for a tab. Also \" for a double quote and \\ for a backslash.
• Double-quoted strings allow many escape sequences. Single-quoted strings allow only backslashes and single quotes.
• Escape characters help prevent syntax errors and security risks in HTML and SQL. Use the htmlspecialchars() function for HTML. Use prepared statements or mysqli_real_escape_string() for SQL.
• The addslashes() function inserts backslashes before special characters. The stripslashes() function removes them.
• Insert backslashes or choose a different type of quote to include quotes inside a PHP string.
• Escape characters help stop code injection. Safe user input avoids threats in ( SQL, HTML, or scripts).

FAQ’s

echo "She said, \"Hello\"";

echo 'It\'s a sunny day';