Adding slashes covers SQL injection.
For those of you who don't know what SQL injection is:
Say you have a query (i see so many unprotected queries like this on tutorial sites):
PHP Code:
$q=mysql_fetch_assoc(mysql_query("SELECT *, COUNT(*) as found FROM users WHERE username='$_POST[password]' AND password='$_POST[password]' LIMIT 1"));
if ($q['found'])
{
echo "User found, thanks for logging in $q[username]";
}
Now, lets say i enter:
admin
In the username text input box.
Then i enter:
' OR 1='1
in the password input text box.
Now lets look at the query:
SELECT *, COUNT(*) as found FROM users WHERE username='admin' AND password='' OR 1='1' LIMIT 1
That will find a row since 1=1, thats a basic logic query. Now we are logged in since a row is found and the username is now admin.