How to clean up string for MySQL

Question

I've used a mysql_real_escape_string till now but it seems that It's not working at GoDaddy Hostings. How should I clean up the string for a database? I've found a PDO::quote but the manual says

"If you are using this function to build SQL statements, you are strongly recommended to use PDO::prepare() to prepare SQL statements with bound parameters instead of using PDO::quote() to interpolate user input into an SQL statement. Prepared statements with bound parameters are not only more portable, more convenient, immune to SQL injection, but are often much faster to execute than interpolated queries, as both the server and client side can cache a compiled form of the query."

Is that means that prepare + bind_params are doing the same thing? Sorry for my English.

Answer 1

Unfortunately, PHP manual often being unclear, wrong or deceiving.

Prepared statements with bound parameters are

• more portable (not true)
• more convenient (that's the only true statement),
• immune to SQL injection (quote() makes things immune as well),
• often much faster to execute (a mere lie)

So, you can use either way, but prepared statements let you have the shorter code:

$id   = $pdo->quote($id);
$name = $pdo->quote($name);
$stm  = $pdo->query("SELECT * FROM t WHERE id=$id AND name=$name");

vs.

$stm  = $pdo->query("SELECT * FROM t WHERE id=? AND name=?");
$stm->execute(array($id,$name));

Though that's not the only reason: please refer to some explanations I made on Why one should use prepared statements