SQL injection that bypasses mysql_real_escape_string() — how to protect yourself?

Hello everyone! I'm a beginner PHP developer and I've encountered a very strange situation. Many forums say that the `mysql_real_escape_string()` function is a reliable protection against SQL injections, and I've always used it. But recently I read that there are ways to bypass it, and it really scared me. I have a simple user authentication code: ```php $username = mysql_real_escape_string($_POST['username']); $password = mysql_real_escape_string($_POST['password']); $query = "SELECT * FROM users WHERE username='$username' AND password='$password'"; $result = mysql_query($query); ``` I thought that escaping all quotes and special characters makes the query safe. But they say that if a multibyte encoding is used (e.g., GBK or SJIS), you can choose a sequence of characters that "eats" the escaping backslash and allows arbitrary SQL code to be inserted. Is this true? How exactly does it work? And most importantly — how should I properly protect my queries now? Is it really