On my old projects, I just have a function DB::esc()
that wraps whatever escape function goes to the library I'm using, be it mysql_real_escape_string
or whatever else.
On my new projects, I use prepared statements and let the extension handle it.