How much important is it to develop different database specific escaping mechanisms for different projects?

Question

As we know, the magic quotes in PHP is already deprecated, this is done to discourage relying on this feature for preventing SQL Injection and to encourage developers to develop database specific escaping mechanisms.[Source: php.net] Is this really neccessary?

If Yes,

Why? Why can't we just use functions like mysql_real_escape_string(), addslashes() and stripslashes() to achieve the same thing instead of developing a different escaping mechanisms?

An answer with example will be appreciated. Thanks

Answer 1

mysql_real_escape_string() already is a database specific escaping mechanism :)

If you are choosing a database layer for a new project, be sure to take a look at PDO whose prepared statements will automatically take care of any necessary escaping.