KevinM1 Posted September 11, 2008 Share Posted September 11, 2008 Is it true that using prepared statements automatically escapes any string variables used in/bound to those statements? Quote Link to comment https://forums.phpfreaks.com/topic/123789-solved-quick-question-regarding-mysqli-extension/ Share on other sites More sharing options...
BlueSkyIS Posted September 11, 2008 Share Posted September 11, 2008 apparently, yes: http://devzone.zend.com/node/view/id/686#Heading10 The data for the query does not need to be passed through a function like mysql_real_escape_string() to ensure that no SQL injection attacks[4] occur. Instead, the MySQL client and server work together to ensure that the sent data is handled safely when it is combined with the prepared statement. Quote Link to comment https://forums.phpfreaks.com/topic/123789-solved-quick-question-regarding-mysqli-extension/#findComment-639175 Share on other sites More sharing options...
KevinM1 Posted September 11, 2008 Author Share Posted September 11, 2008 apparently, yes: http://devzone.zend.com/node/view/id/686#Heading10 The data for the query does not need to be passed through a function like mysql_real_escape_string() to ensure that no SQL injection attacks[4] occur. Instead, the MySQL client and server work together to ensure that the sent data is handled safely when it is combined with the prepared statement. I thought I read/heard something like that before, but it's nice to get confirmation. Thanks! Quote Link to comment https://forums.phpfreaks.com/topic/123789-solved-quick-question-regarding-mysqli-extension/#findComment-639183 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.