Is mysqli_real_escape_string safe?

Question

I´m new in PHP and I´ve realised that my database connection, using a php form (with user and pass text inputs) was totally unsafe:

This was working, but was unsafe:

<?php
$link=mysqli_connect('localhost','xx','xx','xx');
$sql='  SELECT * FROM usuarios 
        WHERE username="'.$_POST['usuario'].'" 
        AND pass="'.$_POST['usuario'].'"
     ';
$rs=mysqli_query($link,$sql);
mysqli_close($link);
?>

So, I´ve read about mysqli_real_escape_string, and decided to try it out:

<?php    
$link=mysqli_connect('localhost','xx','xx','xx');
$usuario=mysqli_real_escape_string($link, $_POST["usuario"]);
$clave=mysqli_real_escape_string($link, $_POST["clave"]);
$sql='  SELECT * FROM usuarios 
        WHERE username="'.$usuario.'" 
        AND pass="'.$clave.'"
     ';
$rs=mysqli_query($link,$sql);
mysqli_close($link);
?>

Is this correct? Is this a good example of how to use mysqli_real_escape_string?

Answer 1

Is this correct?

Yes.

Is this a good example of how to use mysqli_real_escape_string?

NO

If ever used, this function have to be encapsulated into some inner processing, and never have to be called right from the application code. A placeholder have to be used instead, to represent data in your query:

$sql='SELECT * FROM usuarios WHERE username=? AND pass=?';

And then, upon processing placeholder marks, this function may be applied (if applicable) but not by itself but along ALL the formatting rules.

Answer 2

Yes you will use it save now.

The nice thing about using mysqli is that it is Object oriented. So you can use it like this:

<?php

$mysqli = new mysqli("host", "user", "password", "database");

$usuario = $mysqli->real_escape_string($_POST["usuario"]);
$clave = $mysqli->real_escape_string($_POST["clave"]);

$sql='  SELECT * FROM usuarios 
        WHERE username="'.$usuario.'" 
        AND pass="'.$clave.'"
     ';

$mysqli->query($sql);

$mysqli->close();
?>

Or you can use PDO.