The following code seems to do what I intend for it to do, What I'm wondering, however, is if anyone can think of a reason why I shouldn't do this. Like are there any particular vulnerabilities, etc.? Or if anyone has a better/easier way, I'd be interested to hear that as well. Thanks!

if(isset($_POST['submit'])) {
	foreach($_POST as $key => $val){
		if(!is_numeric($val)) {
			$_POST[$key] = mysqli_real_escape_string($dbc, $val);
		}	
	}
	extract($_POST);
}

    The MySQLi interface provides the ability to use prepared statements that do all the necessary escaping automatically; makes this code redundant.

    It wastes time escaping field values that don't need to be escaped.

    Also, attackers can set pretty much any variable they like by having an appropriately-named field in their submission.

      I've never had the need to use prepared statements until now. Do you know of any good resources for tutorials, information, etc?

        I think that is a good way.
        We have all seen very many bad ways that do not consider escape posted string.

        Personally I have started using PHP Filter for some POST forms.
        There is even a special function for POST/GET inputs.
        [man]filter_input[/man]

        An Example, even if here I use [man]filter_var[/man]
        after [man]extract[/man] of $_POST like you do, too.

        Extract is very handy,
        as long as you are sure it will not overwrite existing variable
        Extract with $_POST['username'] will overwrite $username ...

        Here is an user register form with image CAPTCHA check.
        Only the part where I do validate the input data

        <?php

// Get and filter POST inputs
if(isset($_POST['captcha'])){

$posted = array_map('trim',$_POST); //remove string extra spaces
extract($posted);
    //filter strip tags etc. bad things
$fname =     filter_var($fname,    FILTER_SANITIZE_STRING);
$lname =     filter_var($lname,    FILTER_SANITIZE_STRING);
$email =     filter_var($email,    FILTER_SANITIZE_EMAIL);
$username =  filter_var($username, FILTER_SANITIZE_STRING);
$password =  filter_var($password, FILTER_SANITIZE_STRING);
$password2 = filter_var($password2,FILTER_SANITIZE_STRING);

$msg = '';
    // validate each var and email
if    (strlen($fname)<2) $msg = 'add your first name';
elseif(strlen($lname)<2) $msg = 'add your last name';
elseif(filter_var($email, FILTER_VALIDATE_EMAIL)===FALSE) $msg = 'not valid email';
elseif(strlen($username)<6) $msg = 'username should be at least 6 chars';
elseif(strlen($password)<6) $msg = 'password should be 6-16 chars';
elseif($password !== $password2 ) $msg = 'passwords do not match';

// Testing submitted Captcha against SESSION value
if(empty($msg)){ // =no errors above
	// Compare input string
	if($_POST['captcha'] === $_SESSION['nospam']){
		$msg = "Correct! You are a human";

?>
          Pikachu2000 wrote:

          Do you know of any good resources for tutorials, information, etc?

          Yes; the manual. See [man]mysqli.prepare[/man], for example.

            Write a Reply...