Well, mysql_real_escape_string doesn’t protect against sql injections more than addslashes, but that’s not the reason you use it. addslashes() was from the developers of PHP whereas mysql_real_escape_string uses the underlying MySQL C++ API (i.e. from the developers of MySQL). mysql_real_escape_string escapes EOF chars, quotes, backslashes, carriage returns, nulls, and line feeds. There is also the charset aspect.
However, it is a common thought among a lot of PHP programmers (beginning and even more advanced) that SQL injections are the only thing to guard against with sanitizing user input using it in a query. That, actually, is incorrect. If you only rely on *_escape_string and addslashes because you are only thinking about injections, you leave yourself vulnerable to attacks from users.
MySQL has some good tips to PHP programmers in their documentation that is, sadly, no where to be found in PHP’s documentation (that I know of, as I’ve read almost, if not all, and PHP’s mysql documentation).
http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf . It’s a nice read, especially if you like reading articles about PHP programming (guilty). Scroll down to page 78 where they talk about LIKE attacks.
If you aren’t one for reading, they use the following illustration of something that neither mysql_real_escape_string or addslashes protects against:
$sub = mysql_real_escape_string("%something"); // still %something
mysql_query("SELECT * FROM messages WHERE subject LIKE '{$sub}%'");
And recommends the following:
$sub = addcslashes(mysql_real_escape_string("%something_"), "%_");
// $sub == \\%something\\_
mysql_query("SELECT * FROM messages WHERE subject LIKE '{$sub}%'");
Also, read the section above the section on LIKE: No Means of Escape.
Hope that helps some,
Jonathan