allthough there is no need to add or strip slashes in here, the following code should do as well as it is possible...
// query database for the books in a category
if (!$catid || $catid=="") return false;
$conn = db_connect();
$query = "select * from tools where catid='$catid'";
// Here is some addslashes
$query = addslashes( $query );
$result = @mysql_query($query);
if (!$result) return false;
$num_books = @mysql_num_rows($result);
if ($num_books ==0) return false;
$result = db_result_to_array($result);
Some information on the add or strip-slashes function:
you only need slashes (what means backslashes) if
you have some special chars in a string that could
be interpreted as an "end of string".
if you have the string "here is "my" string"
php would collapse, because of >my< would be interpreted
as some command following the string "here is " and be
followed of string " string".
if you want to process with that string, you have to
"here is \"my\" string" would work correctly.
now guess you have the string
"insert into table values ( 'x' );"
your mysql trys to come with some "'" to quot this string.
now mysql or some other database would try to work on some
string looking like that:
'insert into table values( 'x' );'
and here you've got the same problem as in the example
some lines above. addslashes just does work on the ' and "
and the other special chars within a string, so it can be
ensured that the string can be processed correctly.
So if you process the string above using the addslashes function
mysql would gather something like this:
'insert into table values( \'x\' );'
with that string mysql can work.
stripslashes is some command to strip those slashes out of
your string, to gather for example the query above to give