When peer reviewing PHP code, I often find dangerous uses of addslashes(). It is often believed this is a safe way of escaping user input before passing it to e.g. a SQL query, but in fact it's unsafe. If you find yourself using addslashes(), think twice if you are using it safely:
If you have more suggestions for safe escaping, please leave them in the comments below. Happy safe coding!
- In a MySQL context, use mysql_real_escape_string() instead.
- MySQLi has an identical mysqli_real_escape_string().
- PDO provides it's own escape method PDO::quote().
- PostgreSQL has a wide variety of escape functions: pg_escape_literal() for values, pg_escape_bytea() for columns of type bytea, pg_escape_identifier() is used for escaping identifiers (e.g. table, field names).
- When trying to pass user input to the command line, use escapeshellarg() and escapeshellcmd() to escape the input.
- When displaying non-HTML user input anywhere on a webpage, always use htmlentities() or htmlspecialchars().
- This one is a little awkward, but I've seen it before so I thought it's worth mentioning: when including user input in URLs, use urlencode() instead of addslashes()!
If you have more suggestions for safe escaping, please leave them in the comments below. Happy safe coding!
RSS Feed
