Do i need to escape characters when inserting into prepared statements? Do prepared statements escape the code for me?
Asked
Active
Viewed 591 times
1 Answers
1
Easier to ask SO community rather than to use Google...
Escaping and SQL injection
Bound variables are sent to the server separately from the query and thus cannot interfere with it. The server uses these values directly at the point of execution, after the statement template is parsed. Bound parameters do not need to be escaped as they are never substituted into the query string directly. A hint must be provided to the server for the type of bound variable, to create an appropriate conversion. See the mysqli_stmt_bind_param() function for more information.
Such a separation sometimes considered as the only security feature to prevent SQL injection, but the same degree of security can be achieved with non-prepared statements, if all the values are formatted correctly. It should be noted that correct formatting is not the same as escaping and involves more logic than simple escaping. Thus, prepared statements are simply a more convenient and less error-prone approach to this element of database security.
... assuming you got for mysqli of course
Kevin Kopf
- 13,327
- 14
- 49
- 66
-
@RiggsFolly I was assuming I was pasting the pdo manual part, but then decided not to change it since the question went duplicate anyway :) – Kevin Kopf Jan 26 '16 at 01:19
-
Thanks for the answer. – alaboudi Jan 26 '16 at 01:22