Leaderboard

The 2 things have nothing to do with each other, but I will say this about SQL Injections. Forget about mysqli_real_escape_string or any attempt to escape anything, and use parameters. Use parameters and bind the values. This eliminates the possibility of SQL Injections, because no interpolation is being done, and you also no longer have to care about escaping quotes or other characters special to SQL. https://www.php.net/htmlspecialchars is something you can use to combat XSS, or https://www.php.net/manual/en/filter.filters.sanitize.php. For XSS the best solution is to store the input in the DB as is, and then do your filtration/conversion when you are going to present the string on your site/within your application.