KevinM1 Posted September 11, 2008 Share Posted September 11, 2008 Is it true that using prepared statements automatically escapes any string variables used in/bound to those statements? Link to comment https://forums.phpfreaks.com/topic/123789-solved-quick-question-regarding-mysqli-extension/ Share on other sites More sharing options...
BlueSkyIS Posted September 11, 2008 Share Posted September 11, 2008 apparently, yes: http://devzone.zend.com/node/view/id/686#Heading10 The data for the query does not need to be passed through a function like mysql_real_escape_string() to ensure that no SQL injection attacks[4] occur. Instead, the MySQL client and server work together to ensure that the sent data is handled safely when it is combined with the prepared statement. Link to comment https://forums.phpfreaks.com/topic/123789-solved-quick-question-regarding-mysqli-extension/#findComment-639175 Share on other sites More sharing options...
KevinM1 Posted September 11, 2008 Author Share Posted September 11, 2008 apparently, yes: http://devzone.zend.com/node/view/id/686#Heading10 The data for the query does not need to be passed through a function like mysql_real_escape_string() to ensure that no SQL injection attacks[4] occur. Instead, the MySQL client and server work together to ensure that the sent data is handled safely when it is combined with the prepared statement. I thought I read/heard something like that before, but it's nice to get confirmation. Thanks! Link to comment https://forums.phpfreaks.com/topic/123789-solved-quick-question-regarding-mysqli-extension/#findComment-639183 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.