Re: Do we need mysql_real_escape_string when we use mysqli ?

[__]

more specifically, **no**, do not use `mysql_real_escape_string()` with ext/mysqli.

You cannot mix the `mysql_*()` functions with `mysql`**`i`** (functional or object-oriented styles). It may or may not throw any errors, but it will not do anything useful (and may even *open* security holes by making you *think* your data is escaped when it is not).

A better option with mysqli is to use [prepared statements](http://php.net/mysqli.prepare): this way, you don’t have to worry about escaping data at all. MySQL will do it for you.