Understanding PHP's addslashes() Function: Syntax, Usage, and Security Considerations

PHP's addslashes() function adds backslashes before certain characters in a string, primarily used to escape user input before inserting it into a database to mitigate SQL injection.

Syntax of addslashes()

<code>string addslashes(string $str)</code>

Parameter

$str : The string to be escaped.

Return Value

Returns the escaped string.

How addslashes() Works

The function inserts a backslash (\\) before the following characters:

Single quote (')

Double quote (")

Backslash (\\)

NULL byte (\\0)

Control characters such as newline and carriage return

Example

<code>$str = "I'm using PHP.";
echo addslashes($str);</code>

Output

<code>I\'m using PHP.</code>

In this example the original string contains a single quote, so the function escapes it with a backslash.

Typical Use Cases

The main purpose of addslashes() is to escape user‑provided data before it is concatenated into an SQL statement, helping to prevent SQL injection attacks.

Vulnerable Query Example

Consider the following code that builds a query directly from user input:

<code>$name = $_POST['name'];
$password = $_POST['password'];
$query = "SELECT * FROM users WHERE name='$name' AND password='$password'";</code>

If a user supplies $name = "admin' OR '1'='1" and $password = "password" , the resulting query becomes:

<code>SELECT * FROM users WHERE name='admin' OR '1'='1' AND password='password'</code>

The condition '1'='1' is always true, causing the query to return all rows – a classic SQL injection.

Escaping with addslashes()

Applying addslashes() to the inputs prevents the injection:

<code>$name = addslashes($_POST['name']);
$password = addslashes($_POST['password']);
</code>

All special characters are escaped, so the database treats them as literal strings rather than part of the SQL syntax.

Note that addslashes() provides only basic escaping and does not guarantee full protection. In production code, it is recommended to use stronger mechanisms such as mysqli_real_escape_string() or prepared statements with PDO.

Summary

addslashes() adds backslashes before specific characters in a string.

It is mainly used to escape user input before database insertion to prevent SQL injection.

The function targets single quotes, double quotes, backslashes, NULL bytes, and control characters.

For robust security, prefer mysqli_real_escape_string() or PDO prepared statements.

PHP Learning Recommendations

Recommended tutorials and courses:

Vue3+Laravel8+Uniapp Beginner to Advanced Development Tutorial

Vue3+TP6+API Social E‑commerce System Development

Swoole From Beginner to Master Course

Workerman+TP6 Real‑time Chat System (Limited Offer)