by shannah » Mon Sep 21, 2009 12:23 pm
addslashes escapes any slashes that might by added to the input. E.g. without add slashes, if I wanted to search for a string that contained a quote you'd get an SQL error or worse.
e.g. Suppose I wanted to search for the phrase "can't" (without the outside quotes).
If you simply placed that into an sql query you'd have:
select * from from foo where bar='can't'
Which could give you an sql error.
If you do the following though,
$sql = "select * from foo where bar='".addslashes("can't")."'"
it would be rendered like:
select * from foo where bar='can\'t'
which would be correct.
It is good practice to use addslashes() or an equivalent to sanitize any data that you place into an SQL query. If you don't, you open your self up, not only to accidental mistakes, like the one above, but malicious intentional problems introduced by users (hackers) of your system.
-Steve