mysqli_real_escape_string other way to use it?

Question

I want to know if i can use mysqli_real_escape_string on secound way. Usualy i use it like this:

$name = $_POST['name'];
$nameSecure = mysqli_real_escape_string($name);
$sql = "SELECT * FROM persions WHERE firstname = {$name}";
$con->query($sql);

But when i have more $_POST can i use mysqli_real_escape_string on this way:

$name = $_POST['name'];
$sql = "SELECT * FROM persions WHERE firstname = {$name}";
$con->query(mysqli_real_escape_string($sql));

Is any differance between this two method? Actualy i didnt see anybody use secound way. Can i use secound way and is it any differance in security between this two methods?

Answer 1

Is any differance between this two method?

Yes. The first method just escapes the $name string while the second escapes the entire query string.

While this is not a problem for your specific query, it could be a problem for queries, such as:

SELECT * FROM table WHERE name = 'string';

Since mysqli_real_escape_string would escape the quotes, resulting in the query:

SELECT * FROM table WHERE name = \'string\';

On a related note, I would encourage you to read about Prepared Statements .