>> Currently mysql_real_escape_string alone will remove slahes.

False. mysql_real_escape_string adds slashes before special characters that would otherwise cause problems in a database query.

[php.net...]

Therefore, you should not be using both for the same string because you will be over-escaping it.

Thanks for your reply Eelix. My primary goal is security first and foremost however I also want to make sure what the user posts if what the user sees.

Case in point ten back-slashes...

\\\\\\\\\\

...are turned in to twenty and then inserted in to the database...

\\\\\\\\\\\\\\\\\\\\

...so the user posts ten and sees twenty. I know this is probably not a good example but it's the only lend apples and receive back oranges scenario I have come up with at this point.

- John

...so the user posts ten and sees twenty.

[uk2.php.net...]

:)

>> My primary goal is security first and foremost

mysql_real_escape_string offer all the protection of addslashes and more, but not the other way around. You should not being using both, but if you had to choose one over the other, mysql_real_escape_string is what you want.

P.S. Make sure you have magic_quotes turned off, as it will give you unexpected results in form submissions.

Thanks for both of your replies! Readie, go figure I forgot about stripslashes!

Eelix, yes, magic_quotes are off both locally and on my live servers.

- John