Interesting article:

http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html