php - Is mysqli_real_escape_string safe? -

i´m new in php , i´ve realised database connection, using php form (with user , pass text inputs) totally unsafe:

this working, unsafe:

<?php $link=mysqli_connect('localhost','xx','xx','xx'); $sql='  select * usuarios          username="'.$_post['usuario'].'"          , pass="'.$_post['usuario'].'"      '; $rs=mysqli_query($link,$sql); mysqli_close($link); ?> 

so, i´ve read mysqli_real_escape_string, , decided try out:

<?php     $link=mysqli_connect('localhost','xx','xx','xx'); $usuario=mysqli_real_escape_string($link, $_post["usuario"]); $clave=mysqli_real_escape_string($link, $_post["clave"]); $sql='  select * usuarios          username="'.$usuario.'"          , pass="'.$clave.'"      '; $rs=mysqli_query($link,$sql); mysqli_close($link); ?> 

is correct? example of how use mysqli_real_escape_string?

is correct?

yes.

is example of how use mysqli_real_escape_string?

no

if ever used, function have encapsulated inner processing, , never have called right application code. placeholder have used instead, represent data in query:

$sql='select * usuarios username=? , pass=?'; 

and then, upon processing placeholder marks, function may applied (if applicable) not along formatting rules.