it sounds as though you have magic quotes turned on. Turning it off isn't too hard: just create a file in your root directory called .htaccess and put this line in it:

php_flag magic_quotes off

If that's not possible for whatever reason, or you want to change your application to be able to handle magic quotes, use this technique:

Instead of accessing the request variables directly, use a function instead. That function can then check if magic quotes is on or off and strip out slashes accordingly. Simply running stripslashes() over everything won't work, because you'll get rid of slashes which you actually want.

function getVar($key) {
    if (get_magic_quotes_gpc()) {
        return stripslashes($_POST[$key]);
    } else {
        return $_POST[$key];
    }
}

$x = getVar('x');

Now that you've got that, all your incoming variables are ready to be escaped again and mysql_real_escape_string() won't stuff them up.

You must probably have magic quotes turned on. Figuring out exactly how to turn it off can be quite a headache in PHP. While you can turn off magic quotes with set_magic_quotes_runtime(0), it isn't enough -- Magic quotes has already altered the input data at this point, so you must undo the change. Try with this snippet: http://talks.php.net/show/php-best-practices/26

Or better yet -- Disable magic quotes in php.ini, and any .htaccess files it may be set in.

What might be the problem (it was with us) that you use mysql_real_escape_string() multiple times on the same var. When you use it multiple times, it will add the slashes.