Home > Database > Mysql Tutorial > Do I Need `mysql_real_escape_string()` with Prepared Statements?

Do I Need `mysql_real_escape_string()` with Prepared Statements?

Susan Sarandon
Release: 2024-11-02 20:11:30
Original
254 people have browsed it

Do I Need `mysql_real_escape_string()` with Prepared Statements?

Is the mysql_real_escape_string() Function Required with Prepared Statements?

When utilizing prepared statements like in the given query:

<code class="php">$sql = $db->prepare('select location from location_job where location like ?');

$sql->bind_param('s', $consulta);
$sql->execute();
$sql->bind_result($location);</code>
Copy after login

the mysql_real_escape_string() function is not necessary because prepared statements provide a secure way to prevent SQL injection attacks by escaping any special characters within the input.

One suggestion for improving the query is to utilize the '?' placeholder, enabling you to pass parameters more conveniently through the execute method:

<code class="php">$sql->execute([$consulta]);</code>
Copy after login

However, ensure to sanitize user input using htmlspecialchars() before displaying it to prevent cross-site scripting vulnerabilities.

The above is the detailed content of Do I Need `mysql_real_escape_string()` with Prepared Statements?. For more information, please follow other related articles on the PHP Chinese website!

source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template