mysql_real_escape_string doesn't touch html, it escapes single and double quotes so the database doesn't take them literally. Also, setup mysql so that the user account you are using to access mysql via your application doesn't have DROP privileges, unless you actually use DROP in your code. Most people don't DROP tables in their code so I always advise this. Also, whoever did this could have also placed malicious code in your code...so you better check it. One of the main places to check is wherever you are creating new accounts. One thing some hackers like to do is insert code so that when a new account is created it emails the user/pass to some address so they can use it.