Possible Duplicate:
Best way to prevent SQL Injection in PHP
Does mysqli class in PHP protect 100% against sql injections?
So I've been reading up about safety against SQL injections and whilst PDO seems to be the safest way to fight against any such attack I've decided to move from MYSQL_ to MYSQLI_.
So after converting I've decided its about time I started making my site secure enough.
So for an example I've started using mysqli_real_escape_string. Would the below code be safe enough..Or could I build on it further? And would I need to add it to my SELECT statements, or just my INSERT statements?
$sql_follows="SELECT * FROM friends WHERE user1_id=".mysqli_real_escape_string($mysqli,$user1_id)." OR user2_id=".mysqli_real_escape_string($mysqli,$user2_id);
$query_follows=mysqli_query($mysqli,$sql_follows) or die("Error finding friendships");
