Are mysql_real_escape_string() and addslashes() Equivalent in Preventing SQL Injection?

Understanding the Difference: mysql_real_escape_string() vs. addslashes()

While both mysql_real_escape_string() and addslashes() are used to escape special characters in strings to prevent SQL injection attacks, there are key differences between the two functions.

mysql_real_escape_string()

Specifically designed for MySQL database, this function adds slashes to the following characters:

• x00
• n
• r
• '
• "
• x1a

addslashes()

On the other hand, addslashes() only adds slashes to three characters:

• '
• NUL

Security Implications

Web applications that rely solely on addslashes() for input validation may still be vulnerable to SQL injection attacks. This is because addslashes() does not protect against all characters that can be used in an injection attack, namely:

• Linebreaks (n and r): These characters can be used to introduce new lines into the query, potentially bypassing validation checks.
• Comments (--): These characters can be used to comment out the rest of the query, allowing an attacker to execute arbitrary SQL commands.
• Additional Escape Characters (x1a): mysql_real_escape_string() protects against additional escape characters that addslashes() does not, such as x1a.

Recommendation

For optimal security, it is recommended to avoid using both mysql_real_escape_string() and addslashes() and instead use parameterized queries or prepared statements. These methods allow you to bind user input to the query without the need for manual escaping, which is more secure and efficient.

The above is the detailed content of Are mysql_real_escape_string() and addslashes() Equivalent in Preventing SQL Injection?. For more information, please follow other related articles on the PHP Chinese website!