So I have a really simple application that stores data in a MySQL database, the data is posted to a php file which then wraps it in a mysql_escape_string() and then inserts it into the database.
On my local installation of apache running php and mysql it works fine but on my hosting account it stores any ' and " characters with a \ in front. Both databases use the same latin1_swedish_ci character set and both are running the same version of mysql: 5.5.27 but are obviously behaving differently.
I am at a loss on this one. Thanks!
As @njk comments, it's likely that your hosting provider has magic quotes enabled in their PHP environment. So the PHP request parameters already contain escaping by the time your code sees them. Then you use mysql_real_escape_string() which applies escaping to the "\" escaping character, and the result is that literal "\" characters end up in your database.
You can verify the current setting in your hosting PHP environment by uploading a quick PHP script that checks get_magic_quotes_gpc() and prints "yes" or "no" based on the result. You can also check the report from phpinfo().
In general, you should always match your development environment to the PHP version and PHP settings of your hosting environment, so you can test your code with more assurance that it'll work the same when you deploy.
Another solution is to write your application to conditionally undo the magic quotes at runtime, if magic quotes is enabled. Then apply the mysql escaping as you normally do. Here's a link to a PHP code example to undo magic quotes at runtime: http://php.net/manual/en/security.magicquotes.disabling.php
Third piece of advice is to switch hosting providers. Fine one who isn't still enabling years-old, deprecated features of PHP. There's no excuse for that!