mysqli_real_escape_string has NOTHING WHATEVER to do with security. Its function is to prevent the data and the query getting mixed up so that the server doesn't know which is which.
You should validate your data when you first read it to ensure that the field content is valid for what the field is allowed to contain - as a side effect that prevents injection by not allowing the weird strings required for injection to be entered into fields where they don't make sense in the first place.
Only where legitimate content could accidentally result in crashing the query does mysqli_real_escape_string play a part and then only if you jumble the sql and data together instead of using prepare/bind.
For example: you wouldn't allow apostrophes in a username and so the username anything' OR 'x'='x should fail validation for that field long before it gets anywhere near the SQL.