Is mysql_real_escape_string enough?

Just a quick question regarding PHP/MySQL security:

Does mysql_real_escape_string() provide sufficient protection to safely write user-submitted data to a database without any further validation? In other words, would the following be considered secure code:

$data = mysql_real_escape_string($_POST['BigTextField']);
mysql_query("INSERT INTO Table SET BigTextField='$data'");

I’m aware this could cause problems if/when the data is retrieved and displayed to users, but right now I’m mainly concerned if this code is secure from the standpoint of MySQL or PHP injection attacks.

mysql_real_escape_string only protects the database from potential dangers within the string. If you want to protect your web page from potential dangers in the string, you will need to separately escape the string for the web page by using [URL=“”]htmlentities, or [URL=“”]htmlspecialchars

An even better way to protect your database from injection is to make it impossible by keeping the SQL and data separate by using prepare and bind statements - either using mysqli or PDO. That eliminates even those attacks that might get past mysql_real_escape_string.