I see a lot of post about inserting into MySQL database. The vast amount of them seem to forget that its user input we are dealing with. What would be the best was to insert data in to the table. Would mysqli_real_escape_string be okay? Or would using prepared statements be a better option, maybe both?
Asked
Active
Viewed 32 times
0
pah
- 4,700
- 6
- 28
- 37
James Coombes
- 27
- 2
-
Escaping is not okay. Using both even less. Use Prepared, parameterized Queries. – Charlotte Dunois Jul 26 '16 at 10:32
1 Answers
0
mysqli_real_escape_string is good, but not always safe as prepared statement.
mysql_real_escape_string() prone to the same kind of issues affecting addslashes().
So use of prepared statement is much better.
Nana Partykar
- 10,556
- 10
- 48
- 77
Devsi Odedra
- 5,244
- 1
- 23
- 37