Home/ Questions/Q 8676443
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T20:11:50+00:00

I am using the code shown here , it uses addslashes() on the data

  • 0

I am using the code shown here, it uses addslashes() on the data fetched from the database before saving to file.

$row[$j] = addslashes($row[$j]);

My question is why and do I need to use this? I thought you would do this when saving to the database not the other way round. When I compare the results from the above script with the export from phpMyAdmin, the fields that contain serialized data are different. I would like to know if it would cause any problems when importing back into the database?

Script:

'a:2:{i:0;s:5:\"Hello\";i:1;s:5:\"World\";}'

phpMyAdmin Export:

'a:2:{i:0;s:5:"Hello";i:1;s:5:"World";}'

UPDATE

All data is escaped when inserting into the database.

Change from mysql to mysqli.

SQL file outputs like:

INSERT INTO test (foo, bar) VALUES (1, '\'single quotes\'\r\n\"double quotes\"\r\n\\back slashes\\\r\n/forward slashes/\r\n');

SOLUTION

Used $mysqli->real_escape_string() and not addslashes()

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    inserting to db

    When inserting data to a MySQL database you should be either using prepared statements or the proper escape function like mysql_real_escape_string. addslashes has nothing to do with databases and should not be used. Escaping is used as a general term but actually covers a large number of operations. Here it seems two uses of escaping are being talked about:

    1. Escaping dangerous values that could be inserted in to a database
    2. Escaping string quotes to avoid broken strings

    Most database escaping functions do a lot more than just escape quotes. They escape illegal characters and well as invisible characters like \0 … this is because depending on the database you are using there are lots of ways of breaking an insert – not just by adding a closing quote.

    Because someone seems to have missed my comment about mentioning PDO I will mention it again here. It is far better to use PDO or some other database abstraction system along with prepared statments, this is because you no longer have to worry about escaping your values.

    outputting / dumping db values

    In the mentioned backup your database script the original coder is using addslashes as a quick shorthand to make sure the outputted strings in the mysql dump are correctly formatted and wont break on re-insert. It has nothing to do with security.

    selecting values from a db

    Even if you escape your values on insert to the database, you will need to escape the quotes again when writing that data back in to any kind of export file that utilises strings. This is only because you wish to protect your strings so that they are properly formatted.

    When inserting escaped data into a database, the ‘escape sequences’ used will be converted back to their original values. for example:

    INSERT INTO table SET field = "my \"escaped\" value"

    Once in the database the value will actually be:

    my "escaped" value

    So when you pull it back out of the database you will receive:

    my "escaped" value

    So when you need to place this in a formatted string/dump, a dump that will be read back in by a parser, you will need to do some kind of escaping to format it correctly:

    $value_from_database = 'my "escaped" value';

echo '"' . $value_from_database . '"';

    Will produce:

    "my "escaped" value"

    Which will break any normal string parser, so you need to do something like:

    $value_from_database = 'my "escaped" value';

echo '"' . addslashes($value_from_database) . '"';

    To produce:

    "my \"escaped\" value"

    However, if it were me I’d just target the double quote and escape:

    $value_from_database = 'my "escaped" value';

echo '"' . str_replace('"', '\\"', $value_from_database) . '"';
    • 0