Is PHP's addslashes vulnerable to sql injection attack? [duplicate]
Possible Duplicate: What does mysql_real_escape_string() do that addslashes() doesn't? I have been reviewing articles on how/why PHP's addslashes function is vulnerable to sql injection. Everything I have read says there are problems with specific mysql encoding types (default-character-set=GBK), or there are problems if magic_quotes are enabled. However, I have been unable break out of the addslashes() function in this scenario and do something malicious - such as login as an administrator. $user = addslashes($_POST['user']); $pass = sha1($_POST['pass']); $sql = "SELECT * FROM admins WHERE