This is unnerving:

[bobbojones@desktop app]$ grep -R mysql_real_ * | wc -l
      20

[bobbojones@desktop app]$ find . | xargs wc -l | tail -n 1
   19199 total

In nearly 20,000 lines of code, the function mysql_real_escape_string() is called only 20 times.  I estimate, very conservatively, that there are over 300 distinct queries in that code base.

I’m really hoping someone thought they’d be cute and wrap mysql_real_escape_string() inside some other function.