I'm not familiar on prepared statements yet, right now I'm just trying to learn php then I'll get into prepared statements once I understand how everything works... I'm a hands on learner, so I have to break a couple things ...
And yes, you're right about creating the new connection every time is very inefficient, but for mysqli_real_escape_string you have to put your mysqli_connection before the string and even when I remove the $link variable from line 11 and 12 i get the "Fatal error: Function name must be a string"
Then let's say I remove the $link variable from line 11, then line 12 says undefined index for $link even though it's defined on line 8.
...unless I'm missing something?
$link = mysqli_connect("localhost","root","","test");
function protect ($string) {
$link = mysqli_connect("localhost","root","","test");
return mysqli_real_escape_string($link, $_POST($string));
}