If used everywhere correctly real_escape_string is an option. But consider the following code:
$page = $_GET['page'];
$sql = 'SELECT `name` FROM `user` WHERE `id` = ' . mysqli_real_escape_string($page);
Safe or not? real_escape_string can only be used to escape strings inside quotation marks. $page could be 1 OR id IN (2,3,4,5,6,7,8,9) → no quotation marks, no real escaping. Casting to the correct datatype (int) might help in this case. You're better off using prepared statements, they are not as easily to mis-use.
