for a parameterized query (http://php.net/manual/en/mysqli.prepare.php):
$sql=$connection3->prepare("INSERT INTO table (name,url,catname,updated) VALUES (?,?,?,?)");
$sql->bind_param('ssss',$Name,$URL,$CatalogName,$LastUpdated);
$results=$sql->execute(); //results contains whether or not the execute was successful.
While this is "Object oriented style" the actual functionality of this statement will work whether or not you prefer "objects" to "procedural style", it's all in the style. In any case, it will work and there are procedural examples in the docs.
in fact, here's how you do it procedurally:
$stmt=mysqli_prepare($connection3, "INSERT INTO table (name,url,catname,updated) VALUES (?,?,?,?)");
mysqli_stmt_bind_param($stmt, "ssss", $Name,$URL,$CatalogName,$LastUpdated);
mysqli_stmt_execute($stmt);
Now you don't have to worry about escaping your statement, but you still do have to sanitize your entries to prevent cross site scripting and other security risks.