more specifically, **no**, do not use `mysql_real_escape_string()` with ext/mysqli.
You cannot mix the `mysql_*()` functions with `mysql`**`i`** (functional or object-oriented styles). It may or may not throw any errors, but it will not do anything useful (and may even *open* security holes by making you *think* your data is escaped when it is not).
A better option with mysqli is to use [prepared statements](http://php.net/mysqli.prepare): this way, you don’t have to worry about escaping data at all. MySQL will do it for you.
Viewing 3 posts - 1 through 3 (of 3 total)