Consider this query:
$query = "SELECT * FROM users WHERE username = ''. $_POST['username'] .''";
The user could send "' OR '1'='1" as their username, which would make the query:
$query = "SELECT * FROM users WHERE username = '' OR '1'='1' ";
Which would always come back as true (not false) if queried. The user could of course do something even more malicious . What mysql_real_escape_string does is add slashes before the quotes, so they are taken literally, not as parts of the query.
$query = "SELECT * FROM users WHERE username = '\' OR \'1\'=\'1\''";
In this query where the input is escaped the username would have to be "' OR '1'='1" in order for the query to come back as true (not false).