mysql_escape_string Escapes a string for use in a mysql_query. stringmysql_escape_string stringunescaped_string This function will escape the unescaped_string, so that it is safe to place it in a mysql_query. mysql_escape_string does not escape % and _. This function is identical to mysql_real_escape_string except that mysql_real_escape_string takes a connection handler and escapes the string according to the current character set. mysql_escape_string does not take a connection argument and does not respect the current charset setting. ]]> The above example would produce the following output: This function has been deprecated since PHP 4.3.0. Do not use this function. Use mysql_real_escape_string instead. See also mysql_real_escape_string, addslashes and the magic_quotes_gpc directive. - mysql_escape_string calls MySQL's library function of the same name, which prepends slashes to the following characters: NUL (\x00), \n, \r, \, ', " and \x1a. - AddSlashes escapes NUL, ', " and \. $query = "SELECT * FROM adresses WHERE name='$name' AND private='N'"; mysql_query($query); ?> Without mysql_escape_string a user could set name to "' OR 1=1 OR ''='" effectively leading to the query: SELECT * FROM adresses WHERE name='' OR 1=1 OR ''='' AND private='N'