It's half true: real_escape_string is not a silver bullet to protect against sql inject. google://sql+injection+with+mysql+real+escape+string. If you always belive in realescapestring, you have in false safety.
The best way to go about it would probably be to use prepared statements, though that would take more complicated code to execute properly.