Home  >  Article  >  Database  >  Do I Need `mysql_real_escape_string()` with Prepared Statements?

Do I Need `mysql_real_escape_string()` with Prepared Statements?

Susan Sarandon
Susan SarandonOriginal
2024-11-02 20:11:30136browse

Do I Need `mysql_real_escape_string()` with Prepared Statements?

Is the mysql_real_escape_string() Function Required with Prepared Statements?

When utilizing prepared statements like in the given query:

<code class="php">$sql = $db->prepare('select location from location_job where location like ?');

$sql->bind_param('s', $consulta);
$sql->execute();
$sql->bind_result($location);</code>

the mysql_real_escape_string() function is not necessary because prepared statements provide a secure way to prevent SQL injection attacks by escaping any special characters within the input.

One suggestion for improving the query is to utilize the '?' placeholder, enabling you to pass parameters more conveniently through the execute method:

<code class="php">$sql->execute([$consulta]);</code>

However, ensure to sanitize user input using htmlspecialchars() before displaying it to prevent cross-site scripting vulnerabilities.

The above is the detailed content of Do I Need `mysql_real_escape_string()` with Prepared Statements?. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn