PHP / Mysql security question

This is pretty open ended, but generally, what do you guys do for mysql security? Will using “mysql_real_escape_string” do the trick or are there other holes to plug? For example, do I need to worry about certain characters like “–” or “;”?

One piece of advice I received suggested only allowing strings into the database. If I have my table column labeled “VARCHAR” does this automatically make the conversion, or do I need to convert it with php before sending it to the database?

What methods do you guys use? Any comprehensive resources you can point me towards?

Thanks