mysql-real-escape-string

I'm having issues escaping/stripping strings with PHP/MySQL - there always seems to be redundant slashes. Let's take the following string as an example: <span style="text-decoration:underline;">underline</span> When adding a string to the database, I'm escaping it with mysql_real_escape_string() and the following gets stored in the database ( EDIT : checked this by querying the database directly with mysql app): <span style=\\\"text-decoration:underline;\\\">underline</span> When reading back out of the database, I'm passing the string through stripslashes() and the following is returned:

I'd like to have a function behaving as mysql_real_escape_string without connecting to database as at times I need to do dry testing without DB connection. mysql_escape_string is deprecated and therefore is undesirable. Some of my findings: http://www.gamedev.net/community/forums/topic.asp?topic_id=448909 http://w3schools.invisionzone.com/index.php?showtopic=20064 It is impossible to safely escape a string without a DB connection. mysql_real_escape_string() and prepared statements need a connection to the database so that they can escape the string using the appropriate character set -

I've been told that I'd be better using PDO for MySQL escaping, rather than mysql_real_escape_string . Maybe I'm having a brain-dead day (or it may be the fact I'm by no stretch of the imagination a natural programmer, and I'm still very much at the newbie stage when it comes to PHP), but having checked out the PHP manual and read the entry on PDO , I'm still no clearer as to what PDO actually is and why it's better than using mysql_real_escape_string . This may be because I've not really got to grips with the complexities of OOP yet (I'm assuming it's something to do with OOP), but other than

I have seen a few people on here state that concatenating queries using mysql_real_escape_string will not protect you (entirely) from SQL injection attacks. However, I am yet to see an example of input that illustrates an attack that mysql_real_escape_string would not protect you from. The majority of examples forget that mysql_query is limited to one query and use mysql_real_escape_string incorrectly. The only example I can think of is the following: mysql_query('DELETE FROM users WHERE user_id = '.mysql_real_escape_string($input)); This would not protect you from the following input: 5 OR 1