Shouldn't mysql_real_escape_string() leave slashes in Database?

Question

Im using smarty and mysql_real_escape_string() for user input, and when I insert some code with \' or \" , and lookup in phpmyadmin it

Answer 1

You're missing it - escaping with backslashes is meant to ensure that queries aren't malformed, e.g. something like this will surely break and possibly risk SQL injections:

insert into table values ('whatever 'this' is')

and nothing will be saved in the table, whereas this:

insert into table values ('whatever \'this\' is')

will save the value "whatever 'this' is" in the table.