Quote:
Note: A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used.
Note: If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.
Note: If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks.
Note: mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.
I've seen mysql_real_escape_string fail to sanitize / work properly if something happened with the database connection...so you might want to check that it doesn't return FALSE. Also keep in mind that while it does a good job of sanitizing input, it doesn't make the input completely safe...for example, I've seen cases where its not necessary to use special characters to inject SQL and cause a desired outcome...you will still have to be careful/check the input before passing it on to the database and make sure it makes sense in the context provided...ie, if you are expecting an integer argument, don't accept a string (this is by far the most common thing I see)...