I was recently made aware of some subtle differences between mysql_real_escape_string and PDO::prepare and thought I would pass on a great article stating why PDO::prepare() is preferred over m_r_e_s. If you are starting a new project or working on an existing project, and you are not using an ORM, I’d suggest using PDO for native SQL constructs vs the mysql_* family of commands, not only for the reasons stated in the linked article, but also for ease of use, and portability.