Addslashes Explained & Abused.

I get a lot of questions regularly from people who want to know what is wrong with using addslashes() into a query. Obviously they don't seem know what addslashes() was intended for. addslashes() only prevents false queries and a possible corrupt database. But, when you use addslashes(), somewhere in a PHP script you must call stripslashes() to strip of the slashes. And here the trouble starts if no encoding is done upon insertion. To explain it better see the code below. update: here is a live example for those who don't understand it: Example of stored vector I've seen this plenty of times in the wild, it ain't uncommon. The example given stores a persistent XSS vector, it could be anything.Example of pseudo query, it is only a part of a database query: