hi all
i will talk today about something is really dangerous , many developers uses addslashes() to escape characters before inserting it to DB to prevent sql injection or just counting on server if magic quotes open on the server so every request is already escaped with slashes
but ...



its not secure as you think the attacker still can access your site and do some sql injection attack that's because there is something serious about add slashes it cannot deal with unicode characters so attacker can pass illegal characters as unicode and use it with char function to make add slashes un useful
so the safest way till now is to use one of mysql built in functions - mysql_real_escape_string
these function can escape the character and deal with special characters written in unicode and deal with HEX and such tricks

<code>$user = mysql_real_escape_string($_POST['user'])</code>


happy coding :)