I hear many times some people keep saying to use PDO statement to prevent SQL injections. I still use mysql_real_escape_string against sql injection and htmlentities or strip tags for XSS to protect forms etc.
So, why PDO statements? MySQL_real_escape_string is not good anymore? Does PDO statement provides better security than mysql_real_escape_string? I work with Procedural only just to enable people fill some short details to store in database, then retrieve them and display on pages.