Do I Need `mysql_real_escape_string()` with Prepared Statements?

Is the mysql_real_escape_string() Function Required with Prepared Statements?

When utilizing prepared statements like in the given query:

<code class="php">$sql = $db->prepare('select location from location_job where location like ?');

$sql->bind_param('s', $consulta);
$sql->execute();
$sql->bind_result($location);</code>

the mysql_real_escape_string() function is not necessary because prepared statements provide a secure way to prevent SQL injection attacks by escaping any special characters within the input.

One suggestion for improving the query is to utilize the '?' placeholder, enabling you to pass parameters more conveniently through the execute method:

<code class="php">$sql->execute([$consulta]);</code>

However, ensure to sanitize user input using htmlspecialchars() before displaying it to prevent cross-site scripting vulnerabilities.

The above is the detailed content of Do I Need `mysql_real_escape_string()` with Prepared Statements?. For more information, please follow other related articles on the PHP Chinese website!