PDO might be a better way to go. It can provide for prepared statements which can remove instances of SQL injection attacks
Have a look at the manual for PHP’s PDO here
solved Mysqli login – Am i protected against Sql injection with this code? [closed]