Should I use mysqli prepare statement everytime I insert, update & delete a record?

Asked Jul 22 '12 at 04:06

Active Jul 22 '12 at 04:06

Viewed 274 times

My main concern is the security of inserting, updating, & deleting of record in my database table.

If I use the following code:

    $sql_room = "UPDATE `lf_rooms` SET room_count`=$room_count
                    WHERE id = $room_id";

    mysqli_query($con, $sql_room);

Is this secure or do I need to use prepare statement?

asked Jul 22 '12 at 04:06

jaypabs

There's little downside to using a prepared statement, considering the fact that it could save your database. – Waleed Khan Jul 22 '12 at 04:07
Prepare when you input user data, or you can choose to use [`mysqli_escape_string`](http://php.net/manual/en/function.mysqli-escape-string.php) instead – Alvin Wong Jul 22 '12 at 04:10
As for security, if `$room_count` and `$room_id` are user inputs, then it's particularly *insecure*. – Matchu Jul 22 '12 at 04:10
@arxanas what is the downside? – jaypabs Jul 22 '12 at 04:26
@Matchu it's a user input taken from $_POST. – jaypabs Jul 22 '12 at 04:27
@jaypabs As far as I understand, it's negligible: http://stackoverflow.com/questions/1363039/are-there-downsides-to-using-prepared-statements – Waleed Khan Jul 22 '12 at 04:28
@AlvinWong should I use mysqli_escape_string every time there is data inputted user? – jaypabs Jul 22 '12 at 07:49

0 Answers0