'escape_sql()' is used on string variables, like '@password$', you want to use within the 'query_sql()' command
Whenever you let the user provide information that will be used in the database, you should escape it.
What it does: It makes sure the input is safe from injections, more info on wikipedia
Example:
The user inputs: Injecting code "+DELETE...+"
escape_sql("Injecting code "+DELETE...+"");
And it will become: Injecting code "+DELETE...+"
And if you have a bug, you should provide more information regarding the bug.
The decrement of .menu was if it was supposed to index an array (since arrays start their indexing at 0, not 1). Using it with switch, which itself can handle whatever order you choose, you don't want to '-1'.
set .menu, select(.pkmn_menu$) -1;
Would make your first choice 0, then you check for 'case 1' which wants a 1. Solved by not having '-1'.
You do not terminate the script with a 'close;'. It will therefore continue after the menu down to the OnInit once again and continue to build the menu.
It's always good coding standard to make sure that an 'end' or 'close' is placed at the end of the NPC, but before On<Event> labels, in case you miss to terminate the user somewhere on the way.
plankt's post in About escape_sql was marked as the answer