In a nutshell, it makes a string safe to be entered into a database….

For example:

$email = 'myemail@domain.co.uk'; // This could come from a form, etc.
$result = mysql_query("SELECT * FROM `userTable` WHERE `userEmail`= '".mysql_real_escape_string($email)."'");

This example checks to see if an email address is in the userTable. Without mysql_real_escape_string, the email entered via a form could be an attempt to SQL inject and delete or alter your database.

Another solution is to create a function, especially useful if you include a sitewide ‘config’ or settings file at the top of your page…

function escape_data($data) { return mysql_real_escape_string(trim($data)); }