1

I am in the process of creating a reply ticket system, and came across this. Since I'm usingmysqli_real_escape_string, it's adding backslashes to the reply text. Since I'm using prepared statements and bind_param, is it safe to remove the mysqli escape string? or will that open it up for SQL injection? Thanks!!

enter image description here

Frits
  • 7,341
  • 10
  • 42
  • 60
  • Sorry, didn't know if that applied, I'll take a look! Thank you! –  Sep 23 '16 at 16:04
  • 1
    If you're (properly) using prepared statements, then you DON'T escape. That essentially double-escapes the data. – Marc B Sep 23 '16 at 16:06

1 Answers1

0

Simple answer, no. SQL injection involves inputting strings that are used as part of the SQL control itself rather than values for a part of the query. By parameterizing the query, you essentially cordon off the variable, which covers the cases protected by *_escape_string calls and is more secure.

Steve
  • 776
  • 6
  • 13