I'm in a situation where I can't mix named and positional parameters in my PDO prepared statement. It's a long story but to simplify I decided to just ditch prepared statements when using IN operator.
E.g., use plain WHERE column IN (1, 2, 3) instead of WHERE column IN (?, ?, ?).
To ensure data is still safe, can I just use mysqli_escape_string() instead?
E.g.,WHERE column IN ('.mysqli_escape_string($a).', '.mysqli_escape_string($b).', '.mysqli_escape_string($c).') ?
In a nutshell, I want to know if mysqli_escape_string() is a good replacement for prepared statement in my use case?
Edit: replaced mysql_* with mysqli_*
