Using HTML forms and PHP prepared statements

Question

Until now i've been using prepared statements together with real_escape_string when handling input from HTML forms. Example:

$var1 = $dbconnection->real_escape_string($_POST['varFromForm']); 

if ($insert = $dbconnection->prepare("INSERT etc.. ")) {
    $insert->bind_param('s', $var1);
    and so on..

Although, this messed up the formatting when displaying the stored data by outputting \r\n when new line breaks were used in the textarea of input. This because of it apparently escaped the input twice.

So i want to make sure that i haven't misunderstood the deal with prepared statements and that this following code IS safe from SQL-injections by using prepared statements without the escaping?

$var1 = $_POST['varFromForm'];

if ($insert = $dbconnection->prepare("INSERT etc.. ")) {
    $insert->bind_param('s', $var1);
    and so on..

On prepared statements http://stackoverflow.com/a/8265319/285587 — Your Common Sense, Feb 06 '13 at 19:45
On escaping (and HTML forms) http://stackoverflow.com/a/9296858/285587 — Your Common Sense, Feb 06 '13 at 19:46

bpoiss · Accepted Answer · 2013-02-06T19:53:23.550

1

The sql query execution plan of a prepared statement can't be changed by the parameters, the parameters only can be inserted. So you don't need to escape variables.

edited Feb 06 '13 at 19:53

answered Feb 06 '13 at 19:46

bpoiss

13,673
3
35
49

So i take it that i am safe then. Thank you for your time. – Markus Feb 06 '13 at 19:52

Using HTML forms and PHP prepared statements

1 Answers1