My server admin recently upgraded to PHP 5.3 and I'm getting a weird "bug" (or feature, as the PHP folks have it). I had mysql_real_escape_string around most of my string form data for obvious safety reasons, but now it seems this escaping is already done by PHP.

<?php

echo $_GET["escaped"];

?>

<form method="get">
    <input type="text" name="escaped" />
</form>

This outputs, if I enter for instance escape 'this test', escape \'this test\'. Same goes if I use POST instead of GET.

Is it directly tied to the 5.3 upgrade or could my admin have triggered some automatic switch in the php.ini file?

Also, should I just leave it as is (in the event that it is indeed a good fail proof mechanism that correctly catches all get and post variables), or should I disable it (if that's even possible!) and go back to mysql_real_escape_string? My guts tell me approach 2 would be best, but approach 1 would be somewhat automagical. :)

EDIT: Actually, I need to disable it. Sometimes I gather the form data and resend it to the client form in case something was wrong (i.e. missing field), so I don't want him/her to have slashes appearing out of nowhere.

This "feature" is known as magic_quotes_gpc and does not protect you from all SQL injection attacks (addslashes is called on every element of the input superglobals such as $_POST and $_GET. This ignores the actual input/database encoding). It is therefore deprecated and should not be used.

The official php manual includes a neat way to undo it in php code, but you should just turn it off.

This is due to magic quotes, you should turn it off.

And here is how you turn it off: http://www.php.net/manual/en/security.magicquotes.disabling.php

You do it either via php.ini or by removing slashes from all variables in $_GET and $_POST, obviously the former is the recommended way to go.

As Will Martin suggests you can also change it via a .htaccess like this:

php_flag magic_quotes_gpc off

More info here: http://php.net/manual/en/configuration.changes.php

check http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc option in php.ini

It sounds like your server has magic quotes turned on - you can take a look at http://www.php.net/manual/en/security.magicquotes.disabling.php for a thorough discussion of ways to disable them.