I have a static database connection established in a file which I include as
include_once 'database.inc.php';
named $mysqli.
When I pass a parameter $tbname from a form using $tbname = $_GET['tbname'], and attempt to use $tbname = $mysqli->real_esacpe_string($tbname), it produces identical output to $tbname, including when invalid characters such as /,'" are used in the name.
Based on looking at other questions and proper usage, I cannot find a reason why the string escape should fail. It also fails if a procedural call is used to mysqli_real_escape_string($mysqli, $tbname).
When $tbname is valid and not string escaped by the function, my query
query = $mysqli->prepare("CREATE TABLE $tbname (ID INT NOT NULL AUTO_INCREMENT PRIMARY KEY)") or trigger_error($mysqli->error."[$query]");
works as intended.
\'". But you should never use it. Instead, you have to use prepared statements