php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #52901 addslashes for database queries
Submitted: 2010-09-21 16:57 UTC Modified: 2010-09-22 09:58 UTC
From: johnston dot joshua at gmail dot com Assigned:
Status: Wont fix Package: Documentation problem
PHP Version: Irrelevant OS: ALL
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: johnston dot joshua at gmail dot com
New email:
PHP Version: OS:

 

 [2010-09-21 16:57 UTC] johnston dot joshua at gmail dot com 
Description:
------------
Please remove the cruft about using addslashes to escape data for database queries. It gives people the wrong idea.

I know it says use mysql_real_escape string right after it, but even the suggestion of using addslashes gives new people the wrong idea. Tell them it's great for escaping strings for use in javascript or something. please!

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-09-21 17:00 UTC] philip@php.net
-Status: Open +Status: Feedback
 [2010-09-21 17:00 UTC] philip@php.net 
Where do you see this?
 [2010-09-21 17:10 UTC] johnston dot joshua at gmail dot com
-Status: Feedback +Status: Open
 [2010-09-21 17:10 UTC] johnston dot joshua at gmail dot com 
http://php.net/addslashes

Under Desc the first two sentences are:

Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).

An example use of addslashes() is when you're entering data into a database. For example, to insert the name O'reilly into a database, you will need to escape it.
 [2010-09-22 09:58 UTC] aharvey@php.net
-Status: Open +Status: Wont fix
 [2010-09-22 09:58 UTC] aharvey@php.net 
I'd say the text there is already correct: it says to use the DBMS specific escaping function if there is one, but there are database extensions without escaping functions, in which case addslashes() is the correct function to use.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 30 14:01:33 2024 UTC