1

This is answered everywhere and I simply can't see what's wrong with my code:

print 'https://www.facebook.com/someURL'.'<br />';
print addslashes('https://www.facebook.com/someURL').'<br />';
print mysql_real_escape_string('https://www.facebook.com/someURL').'<br />';

Output is:

https://www.facebook.com/someURL
https://www.facebook.com/someURL
https://www.facebook.com/someURL

Why are no slashes being added in any of these cases?

rockstardev
  • 13,479
  • 39
  • 164
  • 296

3 Answers3

4

Why are no slashes being added in any of these cases?

You don't have any characters that need escaping in that string.

That said, addslashes is not suitable and mysql_real_escape_string (like all of mysql_) is obsolete, you should use a modern replacement and use prepared statements / bound arguments instead of manual string escaping.

Community
  • 1
  • 1
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • So only backslashes need to be escaped? – rockstardev Jan 04 '14 at 09:27
  • No, quotes need to be escaped as well: they are escaped with the backslash character, which is why the backslash character also needs escaping – Mark Baker Jan 04 '14 at 09:28
  • @coderama — No. Apostrophes need it too, and possibly other characters that my knowledge of raw SQL isn't sufficient to know off the top of my head. – Quentin Jan 04 '14 at 09:28
2

Because addslashes() returns a string with backslashes before characters that need to be escaped. These characters are single quote ('), double quote ("), backslash () and NUL (the NULL byte).

and your string doesnot contain any of the above mentioned characters.

R R
  • 2,999
  • 2
  • 24
  • 42
2

From http://uk3.php.net/addslashes:

Returns a string with backslashes before characters that need to be escaped. These characters are single quote ('), double quote ("), backslash () and NUL (the NULL byte).

Alex Siri
  • 2,856
  • 1
  • 19
  • 24