First of all, you should really switch from using mysql_*
to either PDO or mysqli and use properly parameterized statements. Then, you avoid calls to mysql_real_escape_string
altogether.
The escaping concept is very broad in programming, and it applies here. Say you want to store someone's name to the DB: Coryn O'Driscoll
. This is not even malicious, but this query will fail:
INSERT INTO Names VALUES ('Coryn O'Driscoll')
You have an unclosed string.
mysql_real_escape_string
converts this to ('Coryn O\'Driscoll'
). The \'
signals to mysql that the apostrophe is not a part of the syntax of the query but actuall part of the scalar value to insert. It is actually inserted as Coryn O'Driscoll
. This is why you don't have to remove any backslashes from it when you select it again.