I'm setting up a website right now and I was testing for SQL injection with no protection against it. (like before using mysql_real_escape_string) Basically the way I set it up was as follows:

PHP Code:
<?php

$blah 
$_POST['blah'];
$user $_COOKIE['user'];

$query "UPDATE table SET blah='$blah' WHERE username='$user'";

mysql_query($query);

?>
What confused me was that, even though I put no instructions to do so, PHP escapes all mysql characters automatically. I even tried using mysql_real_escape_string() with my queries and it actually inserted the backslashes into the table (i.e. it was being escaped twice)

So what's going on here? Did I miss the memo where PHP started auto-escaping mysql queries?