what are the best methods for preventing MYSQL injection. I am currently using mysql_real_escape_string however when I look within my database it still excepts all the characters I inputted.

Whenever your dealing with user input make sure you validate it. If you expect the input to be numeric, make sure it is numeric. If you expect the input to be a string you may want to only allow certain characters. After you've done all of that, calling mysql_real_escape_string should be sufficient for preventing sql injections.

A good alternative to using mysql_real_escape_string is to use prepared statements. Look into PDO or mysqli.

Personally, I don't know all attack victors for MySQL, so I will only comment on Cross Site Scripting

As things stand, if you echo user input to a html page, your site is open to cross site scripting...and possibly cross site forgery, among other attack types.

There are many ways to prevent these attacks such as preventing users from entering any non alphanumerical values including HTML tags, css, etc.

aside from mysql_real_escape_string, you might also want to look into htmlentities, add_slashes and (like Nullpointer also noted) apply REGEX (regular expressions) tests for valid input.

also make sure you are sending data through the browser using $_POST as opposed to $_GET in certain instances.

I think better to use a library designed and maintained for the purpose, such as Htmlpurifier

One way is to run all data through a function that escapes it with the use of mysql_real_escape_string or mysql_escape_string