anvd
Reputation: 4047
Is mysql_real_escape_string() necessary when using prepared statements?
For this query, is necessary to use mysql_real_escape_string?
Any improvement or the query is fine ?
$consulta = $_REQUEST["term"]."%";
($sql = $db->prepare('select location from location_job where location like ?'));
$sql->bind_param('s', $consulta);
$sql->execute();
$sql->bind_result($location);
$data = array();
while ($sql->fetch()) {
$data[] = array('label' => $location);
}
The query speed is important in this case.
Upvotes: 24
Views: 8811
Answers (1)
SamT
Reputation: 10610
No, prepared queries (when used properly) will ensure data cannot change your SQL query and provide safe querying. You are using them properly, but you could make just one little change. Because you are using the '?' placeholder, it is easier to pass params through the execute method.
$sql->execute([$consulta]);
Just be careful if you're outputting that to your page, SQL parameter binding does not mean it will be safe for display within HTML, so run htmlspecialchars() on it as well when outputting.
Upvotes: 24
Related Questions
- Do I need to escape my variables if I use MySQLi prepared statements?
- real_escape_string vs. prepared statements
- mysqli_real_escape_string, should I use it?
- Concrete example of where mysql_real_escape_string fails and Prepared Statements are necessary
- Prepared statements and "real escape string"
- use mysqli_real_escape_string with prepared statement
- Is there a reason to sanitize using (mysqli_real_escape_string) on my $_GET or $_POST variables when using prepared statements?
- Do I need to escape my data values when I pass them to prepared SQL statements?
- mysqli_real_escape_string AND prepared statements?
- MySQL prepared statements do I still need to use mysql_escape_string