If they cared about best practices for PHP they wouldn't be using mysql_real_escape_string().