I'm not sure why you would want to use addslashes over mysql_real_escape_string() but that's entirely your choice I suppose.
addslashes() does exactly what it says: Quote string with slashes
Example #1 An addslashes() example
But some SQL attacks can be performed without quotes (certain shell injections and some blind SQL injections).
For this reason I would personally use mysql_real_escape_string() over addslashes() for securing your data in THIS case.
Also consider using sprintf() for your sql queries as it makes it slightly more secure:
$query = sprintf("SELECT `username`,`password`
FROM admins
WHERE user = '%s'
AND `pass` = '%s'",
$user, $pass);
It makes it more secure as it won't allow any other data-types than the ones that you have given.
%d = digit
%s = string,
etc.
I hope this helps.
