When peer reviewing PHP code, I often find dangerous uses of addslashes(). It is often believed this is a safe way of escaping user input before passing it to e.g. a SQL query, but in fact it's unsafe. If you find yourself using addslashes(), think twice if you are using it safely:
If you have more suggestions for safe escaping, please leave them in the comments below. Happy safe coding!
- In a MySQL context, use mysql_real_escape_string() instead.
- MySQLi has an identical mysqli_real_escape_string().
- PDO provides it's own escape method PDO::quote().
- PostgreSQL has a wide variety of escape functions: pg_escape_literal() for values, pg_escape_bytea() for columns of type bytea, pg_escape_identifier() is used for escaping identifiers (e.g. table, field names).
- When trying to pass user input to the command line, use escapeshellarg() and escapeshellcmd() to escape the input.
- When displaying non-HTML user input anywhere on a webpage, always use htmlentities() or htmlspecialchars().
- This one is a little awkward, but I've seen it before so I thought it's worth mentioning: when including user input in URLs, use urlencode() instead of addslashes()!
If you have more suggestions for safe escaping, please leave them in the comments below. Happy safe coding!