When used properly everywhere, real_escape_string is an option. But consider the following code:
$page = $_GET['page']; $sql = 'SELECT 'name' FROM 'user' WHERE 'id' = ' . mysqli_real_escape_string($page);
Is it safe or not? real_escape_ string can only be used to escape strings inside quotes. $page can be 1 OR id IN (2,3,4,5,6,7,8,9) → without quotes, without real output. In this case, casting to the correct data type (int) can help. You are better off using pre-made statements; they are not so easy to use incorrectly.