user3237819
Reputation:
Do I need mysqli_string_escape statement to avoid sql injection
Do I need mysqli_escape_string to avoid sql injection if I use mysqli prepared statement
Upvotes: 1
Views: 79
Answers (1)
Dany Caissy
Reputation: 3206
No you don't, prepared statements will ensure that your queries are sanitized properly.
In fact, prepared statements are the safest way to prevent injections, escaping is never 100% safe.
This explains why: Why is using a mysql prepared statement more secure than using the common escape functions?
- Consult the following links regarding prepared statements, or PDO with prepared statements.
Upvotes: 1
Related Questions
- Is mysqli_real_escape_string safe?
- Is "mysqli_real_escape_string" enough to avoid SQL injection or other SQL attacks?
- Mysqli Real Escape String Inside or Outside Query
- mysqli_real_escape_string, should I use it?
- Am I using mysqli_real_escape_string correctly?
- Correct usage of $mysqli->real_escape_string in PHP
- How Mysqli_escape_string or Prepared statement can save me from SQL Injection
- mysql(i)_real_escape_string, safe to rely on?
- PHP Mysqli - Parameter binding AND escape_string?
- PHP and MySQL - correct way to use mysqli_real_escape_string