8

Should I use mysqli_real_escape_string or should I use prepared statements?

I've seen a tutorial now explaining prepared statements but I've seen them do the same thing as mysqli_real_escape_string but it uses more lines

Are there any benefits for prepared statements? What do you think is the best method to use?

galymzhan
  • 5,505
  • 2
  • 29
  • 45
Ali
  • 3,479
  • 4
  • 16
  • 31
  • Use prepared statements. – Arjun Abhynav Apr 03 '13 at 11:38
  • http://stackoverflow.com/questions/2353666/php-is-mysql-real-escape-string-sufficient-for-cleaning-user-input –  Apr 03 '13 at 11:40
  • I think this will fix your doubts, http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php/60496#60496 Thanks – 6339 Apr 03 '13 at 11:43
  • If you're looking for performance you should use real_escape_string instead of prepared statement because is twice faster. Details here: https://www.jimwestergren.com/pdo-versus-mysqli – Pascut Oct 31 '17 at 14:15

3 Answers3

6

Prepared statements only. Because nowhere escaping is the same thing. In fact, escaping has absolutely nothing to do with whatever injections, and shouldn't be used for protection.

While prepared statements offer the 100% security when applicable.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • How is it possible to inject with the latter? Given UTF-8 and that using `mysql_real_escape_string` of course implies using delimiters or int casts as well. – Esailija Apr 03 '13 at 12:03
  • 1
    If you're looking for performance you should use real_escape_string instead of prepared statement because is twice faster. Details here: https://www.jimwestergren.com/pdo-versus-mysqli – Pascut Oct 31 '17 at 14:15
  • 6
    @Pascut First, it says that PDO offers performance without penalty. Second and most important, **do not trade security for the performance**, you'll lose both. Nobody cares whether your hacked site is fast. – Your Common Sense Oct 31 '17 at 14:27
  • My comment is related to the question. Your answer haven't addressed the performance domain. But I agree with you, security first, performance later. – Pascut Nov 01 '17 at 09:09
5

Use prepared statements because after using this you doesn't have to use mysqli_real_escape_string. prepared statements doing this as by default.

Yogesh Suthar
  • 30,424
  • 18
  • 72
  • 100
  • 1
    Because `...do the same thing as mysqli_real_escape_string but it uses more lines...` OP wrote it in question. P.S. downvote not from me ;) – Narek Apr 03 '13 at 11:43
  • Well, I know I don't have to use mysqli_real_escape_string after using a prepared statement, but why shouldn't I just use mysqli_real_escape_string from the beginning and not use a prepared statement? – Ali Apr 03 '13 at 11:45
  • 1
    "`prepared statements` doing this as by default." Not true. Prepared statement (with no emulation) has other mechanizm. – sectus Apr 03 '13 at 11:46
  • "because you doesn't have to use mysqli_real_escape_string". yes. it rather makes you to use A LOT MORE functions to run single query. That's the point of the question: how to write less code, not more. – Your Common Sense Apr 03 '13 at 11:49
0

It's very easy to forget (maybe not for you, but other developers you work with) to escape whereas it's very hard to use prepared statements incorrectly to cause a vulnerability. So prepared statements.

Esailija
  • 138,174
  • 23
  • 272
  • 326