PHP's "magic quotes" feature was enabled by default for many years. This practically guaranteed issues with escaped database strings. (Unless the developer spent more time debugging that it would have taken to do it properly in the first place.)