Which is a right safe MySQLi query?

Question

Which of this is right and really safe?
Using prepared statements:

$stmt= $db->prepare("INSERT INTO books (title) VALUES (?)");
$booktitle=$_POST['booktitle'];
$stmt->bind_param('s', $booktitle);   
$stmt->execute();

Or using escape function :

$unsafe_variable = $login;
$safe_variable = mysqli_real_escape_string($unsafe_variable);
$stm=mysqli_query($db,"SELECT post_amount FROM users WHERE login='" . $safe_variable . "'");
$stmone=mysqli_fetch_assoc($stm);
$stmtwo=implode($stmone);
echo($stmtwo);

Please, help to deal with it.

I think this website will help you a lot: http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html — icecub, Feb 19 '15 at 12:37

score 4 · Accepted Answer · answered Feb 19 '15 at 12:37

The first option is way, way better. I can't stress this enough. Not only does it ensure you always take care of things automatically, but it also gives you cleaner code. If you don't use prepared statements, all it takes is one miss in your sanitation and you're wide open for attacks. Hell, prepared statements are half the reason mysqli was introduced in the first place.

score 0 · Answer 2 · answered Feb 19 '15 at 12:44

0

The first option is better and it can give you clean code and take care of all things automatically

answered Feb 19 '15 at 12:44

varad mayee

619
7
19

score 0 · Answer 3 · answered Feb 19 '15 at 12:49

0

Technically both are safe.

However using prepared statements force you to escape all your variables. You can't miss an escape_string call using prepared statements.

Also look at PDO, which has a nicer way of dealing with prepared statements imho :)

answered Feb 19 '15 at 12:49

Sbls

495
1
4
10

Which is a right safe MySQLi query?

3 Answers3