quoting

Posted Mar 30, 2006 14:20 UTC (Thu) by rfunk (subscriber, #4054)
Parent article: SQL injection attacks

It's important to note that the details of quoting strings are DBMS-dependent, and PHP's addslashes() is insufficient (or in some cases just plain wrong). Some of the comments on the PHP addslashes() doc page go into the details. It's always better to use a DBMS-specific quoting function (e.g. mysql_real_escape_string) than to blindly add backslashes. Which is why PHP's "magic quotes" feature is so annoyingly useless.

This tendency to SQL injection is one of the reasons people see PHP as an inherently insecure language, or at least one that encourages insecure programming.