This is fairly hard to illustrate quickly and not actually needed at your current level. However, it is worth a quick warning in case you need it later.
You have just seen how the user can type in form data which is then used as SQL code. You have (hopefully) prevented that data being used for hacking by using mysqli_real_escape_string() and single quotes. It is conceivable however that the same sort of thing can happen with table and field names in a query. This is only likely if you develop a front end for a database which allows users to add new tables and fields. PHPMyAdmin would be one example as it lets you add new tables and fields by typing their names into forms. Instead you could type code. Feel free to try it and it will not work because they thought of that!
They have protected against it by placing ticks around table/field names in queries. These work exactly the same way as single quotes around data (and even look almost identical). This query is open to attack if the variable holds form data which should be a name for a new field but is actually SQL code:
ALTER TABLE sqlinjectionticks ADD $newFieldName INT NOT NULL;
but this is safe:
ALTER TABLE `sqlinjectionticks` ADD ` $newFieldName` INT NOT NULL;
If you start adding ticks now the problem will never happen. They do no harm.