The difference is that mysql_escape_string just treats the string as raw bytes, and adds escaping where it believes it’s appropriate. mysql_real_escape_string, on the other hand, uses the information about the character set used for the MySQL connection. This means the string is escaped while treating multi-byte characters properly; i.e., it won’t insert escaping characters in … Read more
It is impossible to safely escape a string without a DB connection. mysql_real_escape_string() and prepared statements need a connection to the database so that they can escape the string using the appropriate character set – otherwise SQL injection attacks are still possible using multi-byte characters. If you are only testing, then you may as well … Read more
The main shortcoming of mysql_real_escape_string, or of the mysql_ extension in general, is that it is harder to apply correctly than other, more modern APIs, especially prepared statements. mysql_real_escape_string is supposed to be used in exactly one case: escaping text content that is used as a value in an SQL statement between quotes. E.g.: $value … Read more
As the current answers go into details while your question is more aimed at a general overview, I’ll give it a try: The PDO classes aim to encapsulate all the functionality needed to interact with a database. They do this by defining ‘methods’ (OO parlor for functions) and ‘properties’ (OO parlor for variables). You’d use … Read more