You should use real_escape_string on any parameter you're mixing as a string literal into the sql statement. And only on those string literal values.
Therefore the description of Situation 01 and Situation 02 is not sufficient to answer those concrete questions. It's probably yes.
