What is the correct way to escape a sql statement?

Question

I read lot of things about the common sql injection so got interested on how to fix them. Before I just used to use addslashes() thinking (badly) that it would fit. Then I discovered that mysql(i)_real_escape_string() is way more useful and trustful than addslashes(). Since then I use mysqli_real_escape_string() but recently I got into something I haven't really understood. I had some problem about sending datas to mysql and character set. So, once again, I searched, and many users say that SET NAMES UTF8 is the way to make everything goes the correct way. But then I read that using that query makes mysqli_real_escape_string() not working.

So after all I got a little bit confused.

What's the correct way to escape a sql statement?

What are the possible exploits using SET NAMES UTF8?

Is mysqli_set_charset() the correct way to make the connection communicate in a specified charset?

Using mysqli_sey_charset() are the mysql's internal variables cchanged in the process?

Thanks

Answer 1

Just to correct a lot of misinformation in both question and answers.

1. Not "statement" but string literal. Escaping "SQL statements" is a straight way to injection. Only strings have to be escaped, while other query parts require distinct and absolutely different formatting and escaping will do not a slightest good to them.
2. All that escaping/encoding mess only connected to some marginal encodings like GBK. With UTF-8 you can use even addslashes()
3. Since 5.3 PDO is all right with setting client encoding, as long as it's set in DSN.

What's the correct way to escape a sql statement?

In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?

What are the possible exploits using SET NAMES UTF8?

None

Is mysqli_set_charset() the correct way to make the connection communicate in a specified charset?

Sure.
It have to be fed with the actual charset used on the HTML page.