- Modified patch #13180/#29414: use mysql_real_escape_string() to escape

  strings rather than addslashes().  mysql_real_escape_string() uses the
  connections charset settings to properly escape.

includes/database.mysql.inc

@@ -266,7 +266,7 @@ function db_decode_blob($data) {
  * Prepare user input for use in a database query, preventing SQL injection attacks.
  */
 function db_escape_string($text) {
-  return addslashes($text);
+  return mysql_real_escape_string($text);
 }
 
 /**

includes/database.mysqli.inc

@@ -266,7 +266,7 @@ function db_decode_blob($data) {
  * Prepare user input for use in a database query, preventing SQL injection attacks.
  */
 function db_escape_string($text) {
-  return addslashes($text);
+  return mysql_real_escape_string($text);
 }