add mysql_real_escape_string() after str_replace()

Question

How to add mysql_real_escape_string() after str_replace()?

$s='+'.str_replace(' ',' +',rawurldecode($_GET['search']));

$sql = '
SELECT * from table 
where match 
(keywords) 
AGAINST 
('".mysql_real_escape_string($s)."' IN BOOLEAN MODE) 
order by date desc 
limit '.mysql_real_escape_string($_GET['number']).',10
';

Is this the correct way to write the mysql_real_escape_string() in such a mysql full text search? Thanks.

Answer 1

Yes, it is almost correct way (you have bad quote order), but functions you are using are depracted. Use mysqli. You should alsu use intval() because user can input text value and it generates error.

$sql = '
SELECT * from table 
where match 
(keywords) 
AGAINST 
("'.mysql_real_escape_string($s).'" IN BOOLEAN MODE) 
order by date desc 
limit '.intval($_GET['number']).',10
';