Issue with mysql_real_escape_string() syntax

Question

I've been doing some research on mysqli_real_escape_string() but I'm not really understanding how to properly use it in my case to help protect against SQLInjection, Using my code below, can someone help me correct this? I appreciate all the help. The other questions on here reguarding sql injection and php did not really answer my question reguarding the proper syntax usage in my format, When I used this:

"$city = mysqli_real_escape_string($_POST['City']);

I got just my generic search no matter what the input of '%$city%' or '%$business%'

<?php
    $con = mysqli_connect(........);
    // Check connection
    if (mysqli_connect_errno())
       {
       echo "<option>Failed to connect to the Database</option>" ;
       }


     $city = mysqli_real_escape_string($con, $_POST['City']);
     $business = mysqli_real_escape_string($con, $_POST['Business']);

     $result = mysqli_query($con,"SELECT * FROM Business WHERE City LIKE '%$city%' AND BName LIKE '%$business%' ORDER BY City, BName ASC");
     while($row = mysqli_fetch_array($result)) 
     {
     // do stuff here
     }

     // No other results
     echo "<center>No other listings like $city or $business</center>";

     // Free result set
     mysqli_free_result($result);
     mysqli_close($con);
?>

Answer 1

You have to use mysqli_real_escape_string instead of mysql_real_escape_string because you are using mysqli_* functions.

string mysqli_real_escape_string ( mysqli $link , string $escapestr )

You have to rewrite your escape sequences to

$city = mysqli_real_escape_string ($con, $_POST['City']);
$business = mysqli_real_escape_string ($con, $_POST['Business']);

And for preventing sql injection use prepaid statements instead.