Using mysql_real_escape_string() is a good start but it is far from being enough. Next you should make sure that you use ' around all values in SQL, both strings and numbers. Remove words such as UNION, SELECT, DROP, LOAD, BENCHMARK # -- /* and so on.
There are so many possible ways of injection that it is close to impossible to make it really bulletproof.
You should make a read-only SQL user with only read rights (for that particular database) which you use for your SELECT statements.
Never use the root mysql user.
Then have one user with write-only rights for UPDATE. Delete-only for DELETE. etc
If you are even more paranoid you could lock certain SQL commands to certain tables to mitigate the potential damage.
Doing this approach with multiple sql-connections can be difficult on premade scripts.
I am sure there are many more things to do. But for sure you are not protected if you only rely on that PHP code.
Maybe someone else can chime in with more and better suggestions.
