I used mysql escape string in my code. I was taking e-mail addresses and storing them in the database. This is the escape-string function I used.
mysqli_real_escape_string($connection, $_POST['data'])
But I looked at the database today and found that someone has been able to insert things like "C:/Windows/xyz", SQL queries etc. Those have been included in the database. How is this happening, even when the HTML doesn't let you enter anything except a proper email address?
There's a huge difference between sanitizing and validating variables. Sanitation gives You sql-safe variables for Your database operations, but noone said that user can't order "fleventy" beers over Your form.
If You want to validate for proper email address string You could use filter_var($_REQUEST["email"], FILTER_VALIDATE_EMAIL) function.