Do I need mysqli_escape_string to avoid sql injection if I use mysqli prepared statement
Asked
Active
Viewed 78 times
1
-
FYI, escaping does **not** prevent injection. – The Blue Dog Aug 08 '14 at 18:16
-
2No, if you use bind variables, you don't use mysql_escape_string, otherwise everything will be double-escaped – Mark Baker Aug 08 '14 at 18:16
1 Answers
1
No you don't, prepared statements will ensure that your queries are sanitized properly.
In fact, prepared statements are the safest way to prevent injections, escaping is never 100% safe.
This explains why: Why is using a mysql prepared statement more secure than using the common escape functions?
- Consult the following links regarding prepared statements, or PDO with prepared statements.
Community
- 1
- 1
Dany Caissy
- 3,176
- 15
- 21
-
1thank you for the link, ill go through the article. All you people have been great in answering and guiding me. Thanks again – Aug 08 '14 at 18:29