is my php code is okay to avoid sql injection

Question

I have very old php application and I am avoiding sql injection like this: Is this will avoid sql injection?

<?php
$con = mysqli_connect($var['dbhost'],$var['dbuser'],$var['dbpass'],$var['dbname']); 
$text = $con -> real_escape_string(strip_tags(htmlspecialchars(trim(stripslashes($_POST['title'])))));
$class = $con -> real_escape_string(strip_tags(htmlspecialchars($_POST['class'])));
$join_back = $con -> real_escape_string(strip_tags(htmlspecialchars($_POST['join_back'])));
$heading = $con -> real_escape_string(strip_tags(htmlspecialchars($_POST['heading'])));
$serial =  $con -> real_escape_string(htmlentities(trim(addslashes($_REQUEST['serial']))));



$sql = "INSERT INTO site_data(admin_id,site_id,page_id,css_name,serial,data_title,data_code,data_type,time_added,visible_for,join_back,is_deleted)
 VALUES('".$uid."','".$sid."','".$pid."','".$class."','".$serial."','".$text."','".$html_data1."','text','".time()."','all','','no')";


if(mysqli_query($con,$sql))
{
    
header("location: show_data.php");
$db->close();
exit;
}
else
{
echo "<div style='border: 3px solid blue;margin:10px;padding:10px;' class='error' align='center'>Problem Occurred. Try again Later.</div>";
}
?>

Answer 1

Yes, the real_escape_string removes potential problems that come with embedding strings directly into a query.

Adding strip_tags, htmlspecialchars, strislashes etc.. is redundant from an Injection standpoint. I mean you can do it if you wish to remove any HTML tags, but it's not directly related to the SQL Injection.

If you want to take a more structured approach, I suggest you to start looking into prepared statements and parameterized queries.

Start from this great summary