use mysqli_real_escape_string with prepared statement

Question

I'm working on a PHP project with mysqli and need to retrieve the info from the user via $_POST, my problem is that I want to use prepared statements and mysqli->real_escape_string like this:

//$mysqli is the link to my database
if( isset($_POST['ID_name']) && isset($_POST['Nombre_name']) )
        {
//just in case magic_quotes_gpc is on
            $id = trim(htmlentities(mysqli_real_escape_string(stripslashes($mysqli,$_POST['ID_name']))));
            $nombre = trim(htmlentities(mysqli_real_escape_string(stripslashes($mysqli,$_POST['Nombre_name'])));  

//... more code validation but not reffered to my question...

$query="insert into empleado_php values(?,?)";

if(!($consulta=$mysqli->stmt_init())){
    echo"Error al crear la sentencia ingresar.php";
    exit();
    }
if(!($consulta->prepare($query))){
    echo"Error al prepara la consulta ingresar.php";
    exit();
    }
if(!($consulta->bind_param("ss", $id, $nombre))){
    echo"Error anexando parametros ingresar.php";
    exit();
}
if(!($consulta->execute())){
    echo "Error al ejecutar la consulta";
    echo"
";
    echo "Error ".$consulta->error. "con codigo  " .$consulta->errno;
    exit();
}
else{
    echo "Datos ingresados exitosamente !!!";
}
$consulta->close();
$mysqli->close();
?>

My question is: do I need to use mysqli_real_scape_string when using prepared statement? if yes, my code is good? could you give a better sample?

use mysqli_real_escape_string with prepared statement

Answers (1)

Related Questions