<p>addslashes() should be avoided for SQL escapes because it is not safe and not protected from SQL injection; htmlspecialchars() is used for HTML output to prevent XSS attacks; mysqli_real_escape_string() can be used for string escapes in MySQL queries, but is only a suboptimal option when preprocessing statements cannot be used. 1. addslashes() is outdated and unsafe and should not be used for SQL escape in modern applications; 2. htmlspecialchars() should be used when outputting user input and outputting to HTML to prevent XSS; 3. Although mysqli_real_escape_string() is safer than addslashes(), it is still not as reliable as preprocessing statements. The best practice is to use preprocessing statements to prevent SQL injection, use htmlspecialchars() to prevent XSS, and never use addslashes() to protect against security. </p> <p><img src=&amp;quot;/static/imghw/default1.png&amp;quot; data-src=&amp;quot;https://img.php.cn/upload/article/000/000/000/175356165337848.jpg&amp;quot; class=&amp;quot;lazy&amp;quot; alt=&amp;quot;A Comparative Analysis: `addslashes()` vs. `htmlspecialchars()` vs. `mysqli_real_escape_string()`&amp;quot;></p> <p> When handling user input in PHP, especially when interacting with databases or rendering content in HTML, it's cruel to properly sanitize and escape data. Three commonly used functions— <code>addslashes()</code> , <code>htmlspecialchars()</code> , and <code>mysqli_real_escape_string()</code> —are often confused due to their similar-sounding purposes. However, they serve very different roles. Let's break down each one and compare them in terms of purpose, use cases, and security implications. </p> <img src=&amp;quot;/static/imghw/default1.png&amp;quot; data-src=&amp;quot;https://img.php.cn/upload/article/000/000/000/175356165448986.jpeg&amp;quot; class=&amp;quot;lazy&amp;quot; alt=&amp;quot;A Comparative Analysis: `addslashes()` vs. `htmlspecialchars()` vs. `mysqli_real_escape_string()`&amp;quot;><hr> <h3> 1. <strong><code>addslashes()</code> – Add Backslashes Before Special Characters</strong> </h3> <p> <strong>Purpose:</strong><br> <code>addslashes()</code> adds backslashes before predefined characters: single quote ( <code>'</code> ), double quote ( <code>&amp;quot;</code> ), backslash ( <code>\</code> ), and NULL bytes.</p><pre class='brush:php;toolbar:false;'> $input = &amp;quot;O&amp;amp;#39;Reilly&amp;quot;; echo addslashes($input); // Output: O\&amp;amp;#39;Reilly</pre><p> <strong>Use Case:</strong><br /> Historically used to escape strings before inserting them into SQL queries— <strong>but this is outdated and unsafe</strong> . </p><img src=&amp;quot;/static/imghw/default1.png&amp;quot; data-src=&amp;quot;https://img.php.cn/upload/article/000/000/000/175356165665555.jpeg&amp;quot; class=&amp;quot;lazy&amp;quot; alt=&amp;quot;A Comparative Analysis: `addslashes()` vs. `htmlspecialchars()` vs. `mysqli_real_escape_string()`&amp;quot; /><p> <strong>Problems:</strong></p><ul><li> Doesn&amp;#39;t account for character encodings (eg, multi-byte issues).</li><li> Not SQL injection-proof.</li><li> Database-agnostic but not reliable.</li></ul><p> <strong>Bottom Line:</strong><br /> ? <strong>Avoid for SQL escaping.</strong> It&amp;#39;s a naive approach and should not be used in modern applications. </p><img src=&amp;quot;/static/imghw/default1.png&amp;quot; data-src=&amp;quot;https://img.php.cn/upload/article/000/000/000/175356165714072.jpeg&amp;quot; class=&amp;quot;lazy&amp;quot; alt=&amp;quot;A Comparative Analysis: `addslashes()` vs. `htmlspecialchars()` vs. `mysqli_real_escape_string()`&amp;quot; /><hr /><h3 id=&amp;quot;strong-code-htmlspecialchars-code-Convert-Special-Characters-to-HTML-Entities-strong&amp;quot;> 2. <strong><code>htmlspecialchars()</code> – Convert Special Characters to HTML Entities</strong></h3><p> <strong>Purpose:</strong><br /> Converts specific HTML characters to their corresponding HTML entities to prevent XSS (Cross-Site Scripting) attacks when outputting data in HTML.</p><pre class='brush:php;toolbar:false;'> $input = &amp;amp;#39;&amp;lt;script&amp;gt;alert(&amp;quot;XSS&amp;quot;)&amp;lt;/script&amp;gt;&amp;amp;#39;; echo htmlspecialchars($input); // Output: &amp;lt;script&amp;gt;alert(&amp;quot;XSS&amp;quot;)&amp;lt;/script&amp;gt;</pre><p> <strong>Escapes These Characters:</strong></p><ul><li> <code>&amp;</code> → <code>&amp;</code></li><li> <code>&amp;quot;</code> → <code>&amp;quot;</code></li><li> <code>&amp;#39;</code> → <code>&amp;#039;</code></li><li> <code><</code> → <code><</code></li><li> <code>></code> → <code>></code></li></ul><p> <strong>Use Case:</strong><br /> ? Use when <strong>displaying user input in HTML</strong> (eg, in forms, comments, profiles).</p><p> <strong>Does NOT protect against SQL injection.</strong><br /> It&amp;#39;s for <strong>output escaping in HTML</strong> , not for database queries.</p><hr /><h3 id=&amp;quot;strong-code-mysqli-real-escape-string-code-Escape-Special-Characters-for-MySQL-strong&amp;quot;> 3. <strong><code>mysqli_real_escape_string()</code> – Escape Special Characters for MySQL</strong></h3><p> <strong>Purpose:</strong><br /> Escapes characters that have special meaning in SQL (like quotes, backslashes, etc.) <strong>in the context of the current MySQL connection&amp;#39;s character set</strong> .</p><pre class='brush:php;toolbar:false;'> $escaped = mysqli_real_escape_string($connection, $input);</pre><p> <strong>Why It&amp;#39;s Better Than <code>addslashes()</code> :</strong></p><ul><li> Aware of the connection&amp;#39;s character set (prevents encoding-based SQL injection).</li><li> Properly handles multi-byte characters.</li><li> Designed specifically for MySQL.</li></ul><p> <strong>Use Case:</strong><br /> ? Acceptable for escaping strings in dynamic SQL queries—if you&amp;#39;re not using prepared statements.</p><p> <strong>But Note:</strong><br /> ?? Still not as secure or clean as <strong>prepared statements</strong> .</p><hr /><h3 id=&amp;quot;Key-Comparison-Table&amp;quot;> Key Comparison Table</h3><table><thead><tr><th> Function</th><th> Purpose</th><th> Use Case</th><th> Prevents SQLi?</th><th> Prevents XSS?</th></tr></thead><tbody><tr><td> <code>addslashes()</code></td><td> Adds backslashes</td><td> Legacy/unsafe SQL escaping</td><td> ? No</td><td> ? No</td></tr><tr><td> <code>htmlspecialchars()</code></td><td> Escape HTML characters</td><td> Outputting data in HTML</td><td> ? No</td><td> ? Yes</td></tr><tr><td> <code>mysqli_real_escape_string()</code></td><td> Escape SQL special chars (MySQL)</td><td> Escaping strings in SQL queries</td><td> ? Partially</td><td> ? No</td></tr></tbody></table><hr /><h3 id=&amp;quot;Best-Practices-What-You-Should-Actually-Do&amp;quot;> Best Practices (What You Should Actually Do)</h3><p> Instead of relying on manual escaping:</p><ol><li><p> ? <strong>Use Prepared Statements (MySQLi or PDO):</strong><br /> This is the gold standard for preventing SQL injection.</p><pre class='brush:php;toolbar:false;'> $stmt = $pdo-&amp;gt;prepare(&amp;quot;INSERT INTO users (name) VALUES (?)&amp;quot;); $stmt-&amp;gt;execute([$name]);</pre><p> Prepared statements separate SQL logic from data— <strong>no escaping needed</strong> .</p></li><li><p> ? <strong>Use <code>htmlspecialchars()</code> When Outputting to HTML:</strong><br /> Always escape user-generated content before displaying it.</p><pre class='brush:php;toolbar:false;'> echo htmlspecialchars($userComment, ENT_QUOTES, &amp;amp;#39;UTF-8&amp;amp;#39;);</pre><li><p> ? <strong>Don't use <code>addslashes()</code> for SQL.</strong><br> It's broken by design for this purpose.</p></li> <li><p> ?? <strong>Only use <code>mysqli_real_escape_string()</code> if you absolutely must build dynamic queries</strong> —but even then, prefer prepared statements.</p></li> <hr> <h3 id=&amp;quot;Summary&amp;quot;> Summary</h3> <ul> <li> <code>addslashes()</code> → Obsolete and unsafe. Avoid.</li> <li> <code>htmlspecialchars()</code> → For HTML output. Stops XSS.</li> <li> <code>mysqli_real_escape_string()</code> → For MySQL queries, better than <code>addslashes()</code> , but still second-best to prepared statements.</li> </ul> <p> <strong>The real answer?</strong><br> Stop escaping manually. Use <strong>prepared statements</strong> for SQL and <code>htmlspecialchars()</code> for HTML output. That's how modern PHP apps stay secure.</p> <p> Basically:<br> ? SQL? → <strong>Prepared statements</strong><br> ? HTML? → <strong><code>htmlspecialchars()</code></strong><br> ? Never use <code>addslashes()</code> for security.</p>

The above is the detailed content of A Comparative Analysis: `addslashes()` vs. `htmlspecialchars()` vs. `mysqli_real_escape_string()`. For more information, please follow other related articles on the PHP Chinese website!