i dont know what msqli_query is but mysql_query i usually use mysql_real_escape_string($var) if its posted from a form using get or post. and the preg_replace() function

oh i dont know about the mysqli. i dont know if people can inject with that this webpage says: "The data for the query does not need to be passed through a function like mysql_real_escape_string() to ensure that no SQL injection attacks[4] occur. Instead, the MySQL client and server work together to ensure that the sent data is handled safely when it is combined with the prepared statement.
" does that mean its unnecesary to use mysql and to just use mysqli?

http://stackoverflow.com/questions/606099/does-mysqli-class-in-php-protect-100-against-sql-injections

Although mysqli has benefits in preventing SQL injection I would still say it is good practise to make sure you check that any data is in a format you would expect it to be. Get into these principles early, the server you're working on now may be great and use a number of technologies to make things easier for you now but what happens when you move on? Learn best practices now and carry them with you wherever you go :)

I think the safe bet is to say there's always going to be someone who figures out a way around any security setting. Then the question is how often does your hosting company update it's PHP server? And honestly, do you want to be caught completely off guard. Or what about when you bring another programmer on board and he slips up and uses a mysql_query instead? I think the best bet is to take the high road and protect yourself as much as you can ESPECIALLY when it comes to database queries. Personally I never let ANY data hit my database that hasn't gone thru a regular expression. Yeah, fine, that might be overkill, but honestly I don't care, I'm just paranoid like that.

whoops, what does the following do in mysqli (at least according to the link that was posted above?)

SELECT * FROM a_table WHERE something = ".$_var.";
and $var= ";DROP TABLE a_table;";"