What is the difference between mysql_real_escape_string and PDO prepared statements in PHP?

The main difference between mysql_real_escape_string and PDO prepared statements in PHP is that mysql_real_escape_string only escapes special characters in a string, while PDO prepared statements provide a more secure way to interact with a database by separating SQL code from user input. PDO prepared statements automatically handle escaping and quoting of parameters, making them less prone to SQL injection attacks.

// Using PDO prepared statements to interact with a MySQL database
$pdo = new PDO('mysql:host=localhost;dbname=mydatabase', 'username', 'password');

$stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username');
$stmt->bindParam(':username', $_POST['username']);
$stmt->execute();

$user = $stmt->fetch();