I'm using MYSQLI functions in PHP for a long time. And I always ask me the same thing: Why the funcion mysqli_real_escape_string needs the connection in the first parameter? Doesn't make sense! It's just a funcion to scape quotes.

Do you know why?

mysqli_real_escape_string must be aware of the character set of the connection so that it can escapes special characters properly. If you use a multi-byte set then mysqli must know. Otherwise a sql injection is possibile. See this answer for more detail.

However, don't use it! Use Prepared Statements!