Why do we need a DB-specific functions like mysql_real_escape_string()? What can it do that addslashes() doesn't?
Ignoring for the moment the superior alternative of parameterized queries, is a webapp that uses addslashes() exclusively still vulnerable to SQL injection, and if yes, how?
It adds slashes to:
\x00, \n, \r, \, ', " and \x1a. characters.
Where addslashes only adds slashes to
' \ and NUL
Ilias article is also pretty detailed on its functionality