i dont know what msqli_query is but mysql_query i usually use mysql_real_escape_string($var) if its posted from a form using get or post. and the preg_replace() function

mysqli is just another way of using mysql with php, its supposed to be better than just using the mysql commands but i dont really know the difference. Should have specified a little more, i know of the mysql_real_escape_string function but what i am asking is can anyone really do damage to my site from an attempted sql injection attack if mysqli_query will only execute one statement, a user cant enter drop table and try to cause a table to be deleted. As i said im new to this and wanted to know if i really need to protect against an sql injection attack on my site?

oh i dont know about the mysqli. i dont know if people can inject with that this webpage says: "The data for the query does not need to be passed through a function like mysql_real_escape_string() to ensure that no SQL injection attacks[4] occur. Instead, the MySQL client and server work together to ensure that the sent data is handled safely when it is combined with the prepared statement.
" does that mean its unnecesary to use mysql and to just use mysqli?

http://stackoverflow.com/questions/6...sql-injections

well im using the object-oriented style so it looks like im safe. thanks for the help

Although mysqli has benefits in preventing SQL injection I would still say it is good practise to make sure you check that any data is in a format you would expect it to be. Get into these principles early, the server you're working on now may be great and use a number of technologies to make things easier for you now but what happens when you move on? Learn best practices now and carry them with you wherever you go

I think the safe bet is to say there's always going to be someone who figures out a way around any security setting. Then the question is how often does your hosting company update it's PHP server? And honestly, do you want to be caught completely off guard. Or what about when you bring another programmer on board and he slips up and uses a mysql_query instead? I think the best bet is to take the high road and protect yourself as much as you can ESPECIALLY when it comes to database queries. Personally I never let ANY data hit my database that hasn't gone thru a regular expression. Yeah, fine, that might be overkill, but honestly I don't care, I'm just paranoid like that.

whoops, what does the following do in mysqli (at least according to the link that was posted above?)