I'll leave you to decide on everything but mysql_real_escape_string(), always use real escape string since it adapts it method to that specific version of MySql. I did some digging and it is supported from version 4.3, I don't care to cater to anything below version 5 so it will not be an issue.

__________________