attack Why mysql_real_escape_string() isn't enough to stop SQL injection attacks! We have all been there writing PHP code and trusting mysql_real_escape_string(). Alas it seems it is not enough, let us look at the example below ; $id = “0; DELETE FROM users”