Fix bug #65290

git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@331006 c90b9560-bf6c-de11-be94-00142212c4b1

reference/strings/functions/addslashes.xml

@@ -13,34 +13,44 @@
    <methodparam><type>string</type><parameter>str</parameter></methodparam>
   </methodsynopsis>
   <para>
-   Returns a string with backslashes before characters that need
-   to be quoted in database queries etc.  These characters are
-   single quote (<literal>'</literal>), double quote
-   (<literal>"</literal>), backslash (<literal>\</literal>)
-   and NUL (the &null; byte).
+   Returns a string with backslashes before characters that need to be
+   quoted.  These characters are single quote (<literal>'</literal>),
+   double quote (<literal>"</literal>), backslash
+   (<literal>\</literal>) and NUL (the &null; byte).
   </para>
   <para>
    An example use of <function>addslashes</function> is when you're
-   entering data into a database.  For example, to insert the name
-   <literal>O'reilly</literal> into a database, you will need to escape
-   it. It's highly recommended to use DBMS specific escape function
+   entering data into string that is evaluated by PHP. For example,
+   <literal>O'reilly</literal> is stored in $str, you need to escape
+   $str. (e.g.  eval("echo '".addslashes($str)."';"); )
+  </para>
+  <para>
+   To escape database parameters, DBMS specific escape function
    (e.g. <function>mysqli_real_escape_string</function> for MySQL or
-   <function>pg_escape_string</function> for PostgreSQL), but
-   if the DBMS you're using doesn't have an escape function
-   and the DBMS uses <literal>\</literal> to escape special chars,
-   you can use this function. This would only be to get the data
-   into the database, the extra <literal>\</literal> will not be inserted.
-   Having the PHP directive <link linkend="ini.magic-quotes-sybase">
-   magic_quotes_sybase</link> set to <literal>on</literal> will mean
-   <literal>'</literal> is instead escaped with another
-   <literal>'</literal>.
+   <function>pg_escape_literal</function>, <function>pg_escape_string</function>
+   for PostgreSQL) should be used for security reasons.  DBMSes have
+   differect escape specification for identifiers (e.g. Table name,
+   field name) than parameters. Some DBMS such as PostgreSQL provides
+   identifier escape
+   function, <function>pg_escape_indentifier</function>, but not all
+   DBMS provides identifier escape API. If this is the case, refer to
+   your database system manual for proper escaping method.
+  </para>
+  <para>
+   If your DBMS doesn't have an escape function and the DBMS
+   uses <literal>\</literal> to escape special chars, you might be
+   able use this function only when this escape method is adequate for
+   your database. Please note that use
+   of <function>addslashes</function> for database parameter escaping
+   can be cause of security issues on most databases.
   </para>
   <para>
    The PHP directive <link linkend="ini.magic-quotes-gpc">
-   magic_quotes_gpc</link> was <literal>on</literal> by default before PHP 5.4, and it
-   essentially ran <function>addslashes</function> on all GET, POST,
-   and COOKIE data.  Do not use <function>addslashes</function> on
-   strings that have already been escaped with
+   magic_quotes_gpc</link> was <literal>on</literal> by default before
+   PHP 5.4, and it essentially ran <function>addslashes</function> on
+   all GET, POST, and COOKIE data.  Do not
+   use <function>addslashes</function> on strings that have already
+   been escaped with
    <link linkend="ini.magic-quotes-gpc">magic_quotes_gpc</link> as you'll
    then do double escaping.  The function
    <function>get_magic_quotes_gpc</function> may come in handy for
@@ -89,7 +99,7 @@ echo addslashes($str);
    </example>
   </para>
  </refsect1>
- 
+
  <refsect1 role="seealso">
   &reftitle.seealso;
   <para>