Escaping & (special chars) in MySql or PHP -

the string-

<object width="480" height="385"><param name="movie" value="http://www.youtube.com/v/ebopiwpoxi0?fs=1&amp;hl=en_us"></param><param name="allowfullscreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/ebopiwpoxi0?fs=1&amp;hl=en_us" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="385"></embed></object> 

what gets stored in database -

<object width=\"480\" height=\"385\"><param name=\"movie\" value=\"http://www.youtube.com/v/ebopiwpoxi0?fs=1 

already using - mysql_real_escape_string(), doesn't &:

$_post['desc'] = mysql_real_escape_string($_post['desc']); mysql_query('insert user_showcase( title, description, user_id, date_n_time) values( "'.$_post['title'].'", "'.$_post['desc'].'", "'.$_session['uid'].'", now())') or die(mysql_error()); mysql_close($con); 

the html -

<textarea id="desc_in" cols="40" rows="10"></textarea> 

mysql_real_escape_string() is proper mechanism if using legacy mysql library. if getting additional backslashes it's because php environment old. run <?php phpinfo(); ?> , find directives start magic_:

magic_quotes_gpc magic_quotes_runtime magic_quotes_sybase 

ideally, should disabled. if run php apache module, can change in .htaccess file:

php_flag magic_quotes_gpc off php_flag magic_quotes_runtime off php_flag magic_quotes_sybase off 

if run php cgi, you'll have custom php.ini file somewhere in account.

as mentioned, & not special char mysql.

answer updated question

the standard string delimiter in sql single quote, not double quote:

select 'i string';