mySQLI - problem with mysqli_real_escape_string

I have this code, and works perfectly, but i want to make a simple modification

    <?php session_start();
require 'includes/f_banco1.php';
require '../PasswordHash.php';


function checkBd($sql, $db, $user, $codePass) {
    $user = $_GET['userid']; //here
    $codePass = $_GET['code'];//here

    if(is_numeric($user)) {

        ($sql = $db->prepare("select userid, code from password_reset where userid=? and code=?"));

        $sql->bind_param('ss', $user, $codePass);

        $sql->execute();

        $sql->bind_result($user, $codePass);

        if ($sql->fetch()) {
            $_SESSION['u_name']= sha1($user);
            header("location: updatePass.php");
            return true;
        }
        else
        echo "Não existe na BD";
        return false;

    }
    else
    echo "Erro开发者_JAVA百科";

}

checkBd ($sql, $db, $user, $codePass);

?>

i want to change these lines

$user = $_GET['userid']; //here
$codePass = $_GET['code'];//here

to

    $user = mysqli_real_escape_string($db, $_GET['userid']);
$codePass = mysqli_real_escape_string($db, $_GET['code']);

but with this change the code simple stops work, an echo of $user doesn't show nothing

any idea?

thanks

You do not need to do that. You are using prepared statements, which escape the variables automatically.

If you prepare your statement, you don't need to escape your string.

Note: Your database connection must be opened to use mysqli_real_escape_string()