Can SQL injection be prevented with just addslashes(string)? [duplicate]

Answer 1

No, addslashes is not good enough. mysql_escape_string is not necessarily good enough. Use mysql_real_escape_string.

Whether you like what it adds or not doesn't matter, it only escapes characters to make sure the query syntax is valid. If this gets in the way of what you're doing, you're doing something wrong.

Answer 2

The best way to prevent SQL injection is to use prepared statement with either mysqli or PDO.

Answer 3

No, it's not safe. Use mysql_real_escape_string() instead. It shouldn't add anything beyond what it takes to escape the string.

http://php.net/mysql-real-escape-string

This applies to other databases too: use the extension-specific escape function.

Answer 4

You also have the option of using the mysqli functions and Prepared Statements. This largely avoids the problem in the first place because all quotes are considered part of the data.