I was wondering if i should still use mysqli_real_escape_string in this situation
I have a set list of url parameters that are accepted otherwise they are ignored.
if(isset($_GET["data"])) {
$data = $_GET["data"];
switch($data) {
case "one" :
//do x
$sql = "SELECT * FROM table WHERE page='".$data."'";
break;
case "two" :
//do x
break;
case "three" :
//do x
break;
}
}
In this case, mysqli_real_escape_string isn't needed. The purpose of this function is to "sanitize" data that is input by a user.
In your code as it currently is written, yes, you are using data input by a user in that $_GET['data'] may contain something input into a form (or likewise); however, since you are then using a switch statement to check $_GET['data'] before you concatenate it to a query, you are a-okay.
However, if you decide to implement a "default case" that concatenates $data to a query without first comparing it to a value you know to be safe, then, yes, you should sanitize your data.
Here's some further reading on sanitizing your user input: The ultimate clean/secure function
