Speaking about SQL Injection.
Right now, I do the following for my website.
Question 1: Does it prevent SQL Injection alone?
Also, I'm thinking about doing following.
Instead of using the query with all previligied user, I want to create an user for each task, like update, delete, select, drop etc.
When doing query, I can select which user to use like
$database->selectUser('SELECT')->runQuery('query');
Question 2: Would this help me on security? Does it worth doing it?
Question 1: In general, mysql_real_escape_string will stop the basic SQL injections that will be attempted against you, but there ARE exceptions. See this question.
You should really switch all your code over to Mysqli or PDO.
Question 2: That really does not help your security. Let's say you start seeing weird stuff happening in your databases and you think you have been hacked...but which USER is it? If you think a password has been cracked, you will have to go through and change ALL your passwords.
Besides that, you basically have to define a new connection with every account....
Make ONE master account and give it a really good password. If strange stuff starts happening, you only have one password to change.