10

mysql_real_escape_string and addslashes are both used to escape data before the database query, so what's the difference? (This question is not about parametrized queries/PDO/mysqli)

Kemal
  • 2,602
  • 1
  • 21
  • 14
  • Similar to this question: http://stackoverflow.com/questions/534742/what-does-mysql-real-escape-string-do-that-addslashes-doesnt – Zack Feb 24 '10 at 04:31

5 Answers5

15

string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

string addslashes ( string $str )
Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).

They affect different characters. mysql_real_escape_string is specific to MySQL. Addslashes is just a general function which may apply to other things as well as MySQL.

Mark Embling
  • 12,605
  • 8
  • 39
  • 53
  • You just copied definitions and didnt really answer the question of what is actually difference, that is, what are usages and what are pitfalls, in which way is one function better than the other. Better answer is here: http://stackoverflow.com/a/3473077/1335996 – psycho brm Jan 23 '13 at 12:25
  • 1
    Read again and you'll note the final paragraph where I stated that different characters are affected, which summarises the documentation quoted. You'll see that the question was answered. The question did not ask for "why one is better than the other" or "benefits and pitfalls". The linked answer does go into more depth and if worth a read if the above is still not clear to you, but I do not see that it is necessary to attempt to pick holes in my answer. – Mark Embling Jan 25 '13 at 17:52
9

mysql_real_escape_string() has the added benefit of escaping text input correctly with respect to the character set of a database through the optional link_identifier parameter.

Character set awareness is a critical distinction. addslashes() will add a slash before every eight bit binary representation of each character to be escaped.

If you're using some form of multibyte character set it's possible, although probably only through poor design of the character set, that one or both halves of a sixteen or thirty-two bit character representation is identical to the eight bits of a character addslashes() would add a slash to.

In such cases you might get a slash added before a character that should not be escaped or, worse still, you might get a slash in the middle of a sixteen (or thirty-two) bit character which would corrupt the data.

If you need to escape content in database queries you should always use mysql_real_escape_string() where possible. addslashes() is fine if you're sure the database or table is using 7 or 8 bit ASCII encoding only.

A J
  • 3,970
  • 14
  • 38
  • 53
Jon Cram
  • 16,609
  • 24
  • 76
  • 107
1

case 1:

$str = "input's data";

print mysql_real_escape_string($str);      input\'s data

print addslashes($str);                    input\'s data;

case 2:

$str = "input\'s data";

print mysql_real_escape_string($str);      input\'s data

print addslashes($str);                    input\\'s data;
Mansab Khan
  • 21
  • 3
0

It seems that mysql_real_escape_string is binary-safe - the documentation states:

If binary data is to be inserted, this function must be used.

I think it's probably safer to always use mysql_real_escape_string than addslashes.

0

mysql_real_escape_string should be used when you are receiving binary data, addslashes is for text input.

You can see the differences here: mysql-real-escape-string and addslashes

dsm
  • 10,263
  • 1
  • 38
  • 72