Why bother using mysql_real_escape_string() since $_POST addes slashes before a quote automatically?

Question

In PHP, $_POST add slashes before a quotation mark automatically, so why bother applying mysql_real_escape_string()? For example, when I input 'rrr in an input field, and I get \'rrr when I echo it.

Answer 1

Because that only happens if MacigQuotes is enabled in your php configuration, which, as far as I know, is fairly uncommon nowadays. Also, mysql_real_escape_string also escapes other MySQL related characters.

Check out http://php.net/manual/en/security.magicquotes.php for more information on magic quotes.

As you can see, there already is a deprecation warning for this directive, so you should check your server configuration anyway^^

Edit: To disable magic quotes, search in your xampp folder for the php.ini, and add, or change if present, the following directives:

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

Answer 2

1. mysql_real_escape_string escapes more than just single-quotes, because there are other chars that can cause injection issues.
2. PHP only adds slashes to POSTed input if magic_quotes is enabled, which is considered bad practice (because it leads to laziness and not using things like real_escape_string!)

Answer 3

Magic quotes was deprecated as of PHP 5.3.0 and is obsolete as of PHP 6.0.

Edit: So the auto slashes can't be relied on because they are deprecated by most PHP installations, and soon will not work at all.