What is the best way to stop it, i'm currently using mysql_real_escape_string() on every thing that comes in contact with a query. Is this enough to prevent attacks? Or should i be doing something else as well?

Good question, Id like to know this too.

I usually just use trim(mysql_real_escape_string($var)); and ive not had any trouble, but then again, my site isnt exactly popular at the moment :P or at least, not polular enough to have a random attempt at taking it down :P

get_magic_quotes_gpc() along with addslashes() normaly does the trick.

I dont care what people say about turning get_magic_quotes_gpc off for basically when it is on you will provide that extra bit of security to your system.

E.G

No magic quotes:
if your post data $password = "apass" OR 1="1";
then
select * from users where password=$password will get every user's details. If magic quotes are on it will fail with no results.

trim, addslashes etc and all those other methods are sounds and its advisable for us to use them. But simply leave magic_quotes_gpc on and your almost protected. ALMOST.

If your extremly paranoid you can break down user input and scan it for bad sql.

Basically trust nothing your users post you.

Ibbo