Ah I just tried it... php automatically adds escape characters to quotes hence I don't really see how sql injection attacks occur (maybe this was only an old problem which was not considered in earlier versions of php)