Magic_quotes and Mysql_escape_string and mysql_real_escape_string

Magic_quotes basically runs all get, post, and request variables through add_slashes function. The add_slashes function itself, adds a backslash before a single quote (’), double quote(”), backslash (\), and Null byte. If magic_quote is turned off, you can get the same effect by running your varible through the add_slashes function.

Mysql_escape_string and mysql_real_escape_string are very similar. The only differences are that you can use mysql_escape_string while not connected to a database, and it doesn’t respect the current charset setting. PHP manual at php.org, suggest that you should use mysql_real_escape_string anytime you want to insert information in to a database. Both of these functions escapes backslashes (\), new rows (\r), new lines (\n), single (’) and double (”) quotes. They also escape the characters \x00, and \x1a.

Well magic_quotes is passive, meaning that it is an option that is turned on in your php config or htaccess file by adding magic_quotes_gpc = On. Mysql_escape_string and mysql_real_escape_string must be used along with a variable, like all other functions. If you were to use the mysql_real_escape_string, your code will look like this mysql_real_escape_string($var).