How does the use of mysql_real_escape_string() differ from addslashes() when escaping SQL queries in PHP?

When escaping SQL queries in PHP, using mysql_real_escape_string() is preferred over addslashes() because mysql_real_escape_string() is specifically designed to escape characters in a way that is safe for use in MySQL queries. addslashes() may not handle all characters correctly, potentially leading to SQL injection vulnerabilities. It is recommended to use mysql_real_escape_string() or parameterized queries to properly escape user input in SQL queries.

// Using mysql_real_escape_string() to escape user input in a SQL query
$unsafe_variable = $_POST[&#039;input&#039;];
$safe_variable = mysql_real_escape_string($unsafe_variable);

$query = &quot;SELECT * FROM table WHERE column = &#039;$safe_variable&#039;&quot;;
$result = mysql_query($query);

Keywords

mysql_real_escape_string addslashes SQL queries PHP escaping

How does the use of mysql_real_escape_string() differ from addslashes() when escaping SQL queries in PHP?

Keywords

Related Questions