mysql_real_escape_string() calls MySQL’s library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ‘, ” and \x1a.
This function must always be used to make data safe before sending a query to MySQL.
A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn’t defined, the last MySQL connection is used.
Using mysql_real_escape_string() in php we can prevent database attacks ,a small example shown below

function safe($value)
   global $conn;
   return  mysql_real_escape_string($conn,$value);
// safe sql
  $firstname  = safe($_POST['firstname']);
  $lastname  = safe($_POST['lastname']);
  $username  = safe($_POST[username]);
  $password   = safe($_POST[password]);
$sql=”select  *  from table_name where username=$username and password=$password”;

What could be happen if we are not using mysql_real_escape_string() function on the username and password:

$conn= mysql_connect("localhost", "joseph", "joseph123");
if (!$conn)
  die('Could not connect: ' . mysql_error());
$result= "select * from  table_name
Where  username='{$_POST[username]}'
And password='{$_POST['password']}'";
// Could be anything the user wanted! Example:
$_POST[username] = 'joseph';
$_POST[password] = "' OR ''='";
// some code
The SQL sent would be:
SELECT * FROM username
Where  username='joseph' AND password='' OR ''=''

This means that anyone could log in without a valid password!
To prevent these attacks use mysql_real_ escape_string() function.
• mysql_real_escape_string() is necessary to control what the users are storing in the database and to prevent sql injection.
• mysql_real_escape_string ensures that whatever the user enters is processed first before it is stored in the database and characters with special meaning to the sql engine is properly escaped.