|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #52901 addslashes for database queries
Submitted: 2010-09-21 16:57 UTC Modified: 2010-09-22 09:58 UTC
From: johnston dot joshua at gmail dot com Assigned:
Status: Wont fix Package: Documentation problem
PHP Version: Irrelevant OS: ALL
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: johnston dot joshua at gmail dot com
New email:
PHP Version: OS:


 [2010-09-21 16:57 UTC] johnston dot joshua at gmail dot com
Please remove the cruft about using addslashes to escape data for database queries. It gives people the wrong idea.

I know it says use mysql_real_escape string right after it, but even the suggestion of using addslashes gives new people the wrong idea. Tell them it's great for escaping strings for use in javascript or something. please!


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-09-21 17:00 UTC]
-Status: Open +Status: Feedback
 [2010-09-21 17:00 UTC]
Where do you see this?
 [2010-09-21 17:10 UTC] johnston dot joshua at gmail dot com
-Status: Feedback +Status: Open
 [2010-09-21 17:10 UTC] johnston dot joshua at gmail dot com

Under Desc the first two sentences are:

Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).

An example use of addslashes() is when you're entering data into a database. For example, to insert the name O'reilly into a database, you will need to escape it.
 [2010-09-22 09:58 UTC]
-Status: Open +Status: Wont fix
 [2010-09-22 09:58 UTC]
I'd say the text there is already correct: it says to use the DBMS specific escaping function if there is one, but there are database extensions without escaping functions, in which case addslashes() is the correct function to use.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Apr 22 03:01:32 2024 UTC