Three rules to get it right:
- do not use this function in the application code
- do not put your variables directly into query but use prepared statements
- do not use raw mysqli in the application code but use some higher level abstraction, at least PDO