What does mysql_real_escape_string() do that addslashes() doesn't?

Michael Borgwardt picture Michael Borgwardt · Feb 11, 2009 · Viewed 12.7k times · Source

Why do we need a DB-specific functions like mysql_real_escape_string()? What can it do that addslashes() doesn't?

Ignoring for the moment the superior alternative of parameterized queries, is a webapp that uses addslashes() exclusively still vulnerable to SQL injection, and if yes, how?

Answer

Ólafur Waage picture Ólafur Waage · Feb 11, 2009

It adds slashes to:

\x00, \n, \r, \, ', " and \x1a. characters.

Where addslashes only adds slashes to

' \ and NUL

Ilias article is also pretty detailed on its functionality