What kind of "standard inbuilt anti injection code" are you referring to? Mysql_real_escape_string()?

How does this prevent prompt injection described in the article?

How does it prevent DDOSing and/or exposing the database from an injected prompt?