PHP addslashes() Function - A Step-by-Step Guide

What is the PHP addslashes() Function?

The addslashes() function is a built-in PHP function used to add backslashes before specific characters in a string. It is primarily used to escape characters that could interfere with string processing in certain contexts, like database queries.

Syntax of addslashes()

string addslashes(string $string);

Parameter:

  • $string: The input string that needs escaping.

Return Value:

  • Returns the escaped string with backslashes added before:
    • Single quotes (')
    • Double quotes (")
    • Backslashes (\)
    • NULL characters (\0)

.

Why Use addslashes()?

addslashes() is helpful when:

  • You need to escape characters in a string for safe database insertion.
  • Preparing strings for contexts where certain characters have special meanings.

However, it’s not recommended for modern database security—use prepared statements or parameterized queries instead.

Basic Example of addslashes()

<?php
$str = "It's a \"beautiful\" day!";
echo addslashes($str);
?>

Output

It\'s a \"beautiful\" day!

Use Cases for addslashes()

Escaping for Database Queries (Deprecated)

<?php
$name = "O'Reilly";
$query = "INSERT INTO users (name) VALUES ('" . addslashes($name) . "')";
echo $query;
?>

Output:

INSERT INTO users (name) VALUES ('O\'Reilly')

Note: Use PDO or MySQLi with prepared statements instead for database queries.

Escaping Strings with Special Characters

<?php
$path = "C:\\Program Files\\MyApp";
echo addslashes($path);
?>

Output:

C:\\Program Files\\MyApp

Safely Handling User Input

<?php
$userInput = "John's laptop";
echo addslashes($userInput);
?>

Output:

John\'s laptop

Best Practices for Using addslashes()

Use for Non-SQL Contexts:

Use for Non-SQL Contexts:

Avoid using addslashes() for SQL queries. Instead, use prepared statements for proper SQL injection protection.

Escape Only When Necessary:

Escape user input only if required by the application logic.

Combine with Other Security Measures:

For HTML output, pair addslashes() with htmlspecialchars() to handle both SQL and XSS vulnerabilities.

Avoid Double Escaping:

Check if the input is already escaped to prevent adding redundant slashes.

Common Mistakes and How to Avoid Them

Using for SQL Queries:

  • Instead of addslashes(), use parameterized queries to prevent SQL injection.
// Incorrect:
$query = "SELECT * FROM users WHERE name = '" . addslashes($name) . "'";

// Correct:
$stmt = $pdo->prepare("SELECT * FROM users WHERE name = :name");
$stmt->execute(['name' => $name]);

Forgetting to Sanitize Input:

  • While addslashes() escapes special characters, it doesn’t sanitize input for other threats like XSS.

Comparing addslashes() and addcslashes()

Featureaddslashes()addcslashes()
PurposeEscapes ', ", \, \0Escapes user-specified characters
CustomizationNo customization allowedFully customizable
Use CasePreparing data for SQL or pathsGeneral-purpose escaping

Performance Considerations

  • Efficient but Limited: addslashes() is fast and simple but not versatile for modern applications.
  • Use Modern Alternatives: For security and performance, prefer PDO or MySQLi prepared statements for database queries.