What are the potential risks of not using mysql_real_escape_string in PHP applications?

Not using mysql_real_escape_string in PHP applications can leave your application vulnerable to SQL injection attacks, where malicious users can manipulate database queries to access or modify sensitive data. To prevent this, always use mysql_real_escape_string to escape special characters in user input before using them in SQL queries.

// Example of using mysql_real_escape_string to prevent SQL injection
$input = $_POST['user_input'];
$escaped_input = mysql_real_escape_string($input);
$query = "SELECT * FROM users WHERE username='$escaped_input'";
$result = mysql_query($query);