Combating SQL injection with prepared statements

A better way of combating SQL injection is to use prepared statements. Prepared statements remove any danger of user input interfering with the logic of the SQL query because the SQL query logic and the user input are sent along separate channels to the database. They also escape special characters such as the single quote mark, so you do not need to use mysql_real_escape_string() with them.