I clean post data using mysqli_real_escape_string. Should I also, then, apply addcslashes() to a variable that is used in an SQL LIKE clause?
[I understand that using prepared statements would probably negate this discussion.]
If you cannot use prepared statements (always a good option) - as far as I know it is best to escape the mysql like wildcards aswell:
addcslashes($param, '%_');