Possible Duplicate:
Mysql Real Escape String PHP Function Adding “\” to My Field Entry
So here's the deal. I have a local server and a remote server and they both run the same php file which connects to 2 identical mysql databases. On the local server, the command
mysql_query("INSERT INTO eventtypes (name) VALUES ('".addslashes($_GET['name'])."')")
works like a charm, and does not insert the slashes into the field, only the raw value of the $_GET['name']. On the remote server however, the slashes are being inserted too. I have tried these:
mysql_query("INSERT INTO eventtypes (name) VALUES ('".str_replace("'","''",$_GET['name'])."')
This one returns false, although when I run the exact returned string on the command line of the corresponding database, it properly inserts the right amount of single quotes, which is super-weird.
mysql_query("INSERT INTO eventtypes (name) VALUES ('".mysql_real_escape_string($_GET['name'])."')")
mysql_real_escape_string() only added slashes to the single quotes, which were also inserted like with addslashes().
It sounds like you have Magic Quotes enabled on the remote server. This feature is causing the inconsistency you have discovered. Turn it off.
Once you have fixed that problem, the best approach of the three you are trying is mysql_real_escape_string. However, that is a legacy approach and not recommended. Use a modern database library (such as mysqli or PDO) and bound arguments. See also Best way to prevent SQL Injection in PHP.