In PHP, $_POST add slashes before a quotation mark automatically, so why bother applying mysql_real_escape_string()? For example, when I input 'rrr
in an input field, and I get \'rrr
when I echo it.
Because that only happens if MacigQuotes is enabled in your php configuration, which, as far as I know, is fairly uncommon nowadays. Also, mysql_real_escape_string also escapes other MySQL related characters.
Check out http://php.net/manual/en/security.magicquotes.php for more information on magic quotes.
As you can see, there already is a deprecation warning for this directive, so you should check your server configuration anyway^^
Edit: To disable magic quotes, search in your xampp folder for the php.ini, and add, or change if present, the following directives:
; Magic quotes ; ; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = Off ; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc. magic_quotes_runtime = Off ; Use Sybase-style magic quotes (escape ' with '' instead of \'). magic_quotes_sybase = Off