I check all my input with filter functions like filter_var or my own functions. Regardless if its end up stored in a database. There are more hacks or bugs possible than sql injection.

For Mysql i use the Mysqli functions with prepared statements. I think prepared statements and real_escape are both secure as long as you use them correctly. But it is easy to forget the escape function so i just learned to always use prepared statements.