I have a PHP page that takes login info and sends it to a login script.
I wanted to lock down the login script against SQL injections, so I have begun to use the mysql_real_escape_string() function on data input from that form.
Not sure if it's a server setting or what, but if a user has an apostrophe in their name like "Mike's Test", on submit it comes through as "Mike\'s Test"
Which of course, if I apply mysql_real_escape_string() to becomes "Mikes\\\'s Test" and then that fails in the user check query.
So what I'm doing is this:
$username = mysql_real_escape_string(stripslashes($_POST['username']));
This works - but is it still secure against SQL injection attack?