Righto, firstly magic quotes & runtime are disabled correctly in php.ini, and confirmed by phpinfo(). PHP version: 5.3.4 MySQL version: 5.1.52 I'm only use mysql_real_escape_string on the data, after htmlspecialchars and a trim, that's all the data cleaning on the variable. Yet, when I submit a single quote, the slash remains in the database. When running mysql_query I'm using "' . $var . '", although in the past this hasn't changed anything (could be due to the double quotes?). Any ideas? and please don't tell me about PDO/prepared statements, I'm aware of them and I have my reasons for doing it this way. Thanks!