When is addslashes required on MySQL PDO queries?

New coder question here:

I can’t quite figure out when I need to use PHP’s addslashes on my data I am adding and retrieving from my database.

Some of my data has single quotations (i.e.: Smith’s )

The database seems to store data in VARCHARs with single quotes just fine.

Do I need to use addslashes on my string variables I am storing in the database?

Here is an example of one of my queries:

$mod_Name="Smith's";
$mod_Image="smiths.jpg";

$sql="INSERT INTO Footers (name, image) VALUES (?,?)";
$stmt = $pdo->prepare($sql);
$stmt->execute([$mod_Name, $mod_Image]);
$stmt = null;

I’m not sure how the above works with MySQL. My concern, is that if the execute then converts my $sql into a single quoted statement that gets queried, the above will show as: ‘INSERT INTO Footer (name, image) VALUES (‘Smith’s’, ‘smiths.jpg’);’

Any guidance on this would be appreciated.

When is addslashes required on MySQL PDO queries?

NEVER

2 Likes

^ to elaborate on what @benanamen just said, in ye olden days it was not possible to run prepared queries on MySQL like we can now from PHP, and for that reason the data had to be escaped before it was inserted. It worked, kind of, but wasn’t a 100% foolproof.

Now that we have prepared queries in PHP, addslashes has become obsolete and should indeed NEVER be used anymore.

The same reasoning holds for mysql_real_escape_string and mysqli_real_escape_string by the way - those should never be used anymore either.

4 Likes

Thank you guys for the guidance and explanation.