SQL injection that gets around mysql_real_escape_string()

Is there an SQL injection possibility even when using `mysql_real_escape_string()` function? Consider this sample situation. SQL is constructed in PHP like this: $login = mysql_real_escape_string(GetFromPost('login')); $password = mysql_real_escape_string(GetFromPost('password')); $sql = "SELECT * FROM table WHERE login='$login' AND password='$password'"; I have heard numerous people say to me that code like that is still dangerous and possible to hack even with `mysql_real_escape_string()` function used. But I cannot think of any possible exploit? Classic injections like this: aaa' OR 1=1 -- do not work. Do you know of any possible injection that would get through the PHP code above?