If I properly prepare and bind every query in my application, is there any need for using mysqli_real_escape_string (for MYSQLI connections) or addslashes (for PDO connections)?
I ask this seemingly "already asked" question because elsewhere on Stackoverflow people have asked whether their application is safe from injection attack if they prepare their statements BUT THEY DON'T ALSO SAY BIND.
Typically what follows is a long and helpful explanation from a reader on how first-order queries are safe when the queries are prepared, but second-order queries are vulnerable to injection attack, and then the reader/responder lists things to do to prevent this. And usually BINDING comes up as one solution.
So, my question is actually rather simple:
If every single query in my application is PREPARED with all parameters BOUND using the proper methodology (for MYSQLI or PDO), am I free to drop mysqli_real_escape_string() and addslashes() sanitizing on the strings passed to the queries?
(I'm revising code written by someone else who didn't use a single prepared query in the entire site; instead, he relied on mysqli_real_escape_string for sanitization. Since I'm going to the trouble of preparing and binding every single query, I'd like to be able to drop the mysqli_real_escape_string/addslashes routines if they are made unnecessary by properly preparing all the queries AND binding all the parameters, as I am doing).
Many thanks!
