There are 2 faults with this approach, both coming from a single delusion.
mysql_real_escape_string
doesn't "protect" your data. So, it should never be used for the purpose of whatever "sanitizing". Using this function like this, you are exposing yourself to two not immediate but quite possible dangers.
- Escaping password before hashing it may spoil the resulting hash.
- Escaping any value beside SQL strings will result in injection.
That's why you should always use parameterizing instead of "escaping". Just because parameterizing is doing its job, while "escaping" is used out of mere confusion.
I wrote a through explanation on the whole matter with escaping / parameterizing in a article you are welcome to read.