What does mysql_real_escape_string() do that addslashes() doesn't?

php security sql-injection
Michael Borgwardt picture Michael Borgwardt · Feb 11, 2009 · Viewed 12.7k times · Source

Why do we need a DB-specific functions like mysql_real_escape_string()? What can it do that addslashes() doesn't?

Ignoring for the moment the superior alternative of parameterized queries, is a webapp that uses addslashes() exclusively still vulnerable to SQL injection, and if yes, how?

Answer

Ólafur Waage picture Ólafur Waage · Feb 11, 2009

It adds slashes to: 

\x00, \n, \r, \, ', " and \x1a. characters.

Where addslashes only adds slashes to 

' \ and NUL

Ilias article is also pretty detailed on its functionality

Related questions

How can I prevent SQL injection in PHP?

If user input is inserted without modification into an SQL query, then the application becomes vulnerable to SQL injection, like in the following example: $unsafe_variable = $_POST['user_input']; mysql_query("INSERT INTO `table` (`column`) VALUES ('$unsafe_variable')"); That's …

Read More
How can I sanitize user input with PHP?

Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of HTML tags?

Read More
SQL injection that gets around mysql_real_escape_string()

Is there an SQL injection possibility even when using mysql_real_escape_string() function? Consider this sample situation. SQL is constructed in PHP like this: $login = mysql_real_escape_string(GetFromPost('login')); $password = mysql_real_escape_string(GetFromPost('password')); $sql = "…

Read More