Posted Mar 30, 2006 14:20 UTC (Thu) by rfunk
Parent article: SQL injection attacks
It's important to note that the details of quoting strings are
DBMS-dependent, and PHP's addslashes() is insufficient (or in some cases
just plain wrong). Some of the comments on the PHP addslashes() doc page go into the
details. It's always better to use a DBMS-specific quoting function
than to blindly add backslashes. Which is why PHP's "magic quotes"
feature is so annoyingly useless.
This tendency to SQL injection is one of the reasons people see PHP as an
inherently insecure language, or at least one that encourages insecure
to post comments)