Will mysql real escape string prevent hack?

Question

Possible Duplicate:
Are mysql_real_escape_string() and mysql_escape_string() sufficient for app security?

I am new to PHP and wanted to make sure. If i use mysql_real_escape_string for user generated input (variables), the query won't be hacked?

Sample script:

// Getting Unique ID
$sql = "select `Person_id` from `accounts` where `username` = '$username'";
$query = mysql_query($sql) or die ("Error: ".mysql_error());
while ($row = mysql_fetch_array($query)){
    $pid = $row['Person_ID'];
}
mysql_free_result($query);
$username = mysql_real_escape_string($_POST['Username']);
$newname = mysql_real_escape_string($_POST['Full_name']);
$newgender = mysql_real_escape_string($_POST['Patient_gender']);
$newmonth = mysql_real_escape_string($_POST['Month']);
$newday = mysql_real_escape_string($_POST['Day']);
$newyear = mysql_real_escape_string($_POST['Year']);
$newacctss = mysql_real_escape_string($_POST['Acct_SS']);
$newaddress = mysql_real_escape_string($_POST['Address']);
$newaddress2 = mysql_real_escape_string($_POST['Address2']);
$newcity = mysql_real_escape_string($_POST['City']);
$newstate = mysql_real_escape_string($_POST['State']);
$newzipcode = mysql_real_escape_string($_POST['Zip_code']);
$newhomephone = mysql_real_escape_string($_POST['Home_phone']);
$newcellphone = mysql_real_escape_string($_POST['Cell_phone']);
$neworkphone = mysql_real_escape_string($_POST['Work_phone']);
$newsure = mysql_real_escape_string($_POST['Sure']);
$newfav = mysql_real_escape_string($_POST['Favorite']);
$newcars = mysql_real_escape_string($_POST['Cars']);
$newdrinks = mysql_real_escape_string($_POST['Drinks']);
$newmoi = mysql_real_escape_string($_POST['About_moi']);

//Update Name Only
$sql = "UPDATE accounts SET `full_name` = '$newname' WHERE Username = '$username'"; 
$query1 = mysql_query($sql) or die ("Error: ".mysql_error());

//Everything else being udpated here 
$sql2 = "UPDATE profile SET `Patient_gender` = '$newgender', 
`Month` = '$newmonth', `Day` = '$newday', `Year` = '$newyear', 
`Acct_SS` = '$newacctssn', `Address` = '$newaddress', 
`Address2` = '$newaddress2', `City` = '$newcity', `State` = '$newstate', 
`Zip_code` = '$newzipcode', `Home_phone` = '$newhomephone', 
`Cell_phone` = '$cellphone', `Work_phone` = '$neworkphone', 
`Sure` = '$newsure', `Favorite` = '$newfav', `Cars` = '$newcars', 
`Drinks` = '$newdrinks', `About_moi` = '$newmoi' WHERE Person_id = '$pid'"; 
$query2 = mysql_query($sql2) or die ("Error: ".mysql_error());

Answer 1

Don't use straight mysql. Use the mysqli(notice the i) or PDO library and use prepared statements. Using prepared statements is more secure than using straight queries and including the variable in the query string.

According to the PHP documentation, mysql will be deprecated. It is no longer underdevelopment and the mysqli and PDO extensions should be used instead.

Answer 2

You're pretty safe if your using both quotes and mysql_real_escape_string. You may want to look at PDO or at least mysqli for other reasons.