In what scenarios would using functions like PDO::quote or addslashes be appropriate for handling quotes in SQL queries in PHP?

When constructing SQL queries in PHP, it is important to properly handle quotes to prevent SQL injection attacks. Functions like PDO::quote or addslashes can be used to escape special characters, including quotes, in user input before including them in SQL queries. This helps to ensure that the input is treated as data rather than executable SQL code. 

// Example using PDO::quote
$userInput = "John's Book";
$escapedInput = $pdo->quote($userInput);
$sql = "SELECT * FROM books WHERE title = $escapedInput";
$stmt = $pdo->query($sql);

// Example using addslashes
$userInput = "John's Book";
$escapedInput = addslashes($userInput);
$sql = "SELECT * FROM books WHERE title = '$escapedInput'";
$result = mysqli_query($conn, $sql);

Keywords

PDO::quote addslashes SQL queries PHP scenarios

Related Questions