On an older server I'm using that I can't use prepared statements on I am currently trying to fully escape user input before sending it to MySQL.For this I am using the PHP function \[code\]mysql_real_escape_string\[/code\].Since this function does not escape the MySQL wildcards % and _ I am using \[code\]addcslashes\[/code\] to escape these as well.When I send something like:\[code\]test_test " ' \[/code\]to the database and then read it back the database shows:\[code\]test\_test " ' \[/code\]Looking at this I can't understand why the _ has a preceding backslash but the " and ' don't.Since they are all escaped with \ surely _ ' and " should all appear the same, i.e. all have the escape character visible or all not have it visible.Are the escaping \s automatically screened out for Can anyone explain this?