Mko Posted August 19, 2012 Share Posted August 19, 2012 Hey all, I have a quick question regarding MySQLi Prepared Statements. Say I have the following code: $stmt = $database->stmt_init(); $salt = '4_X4cC@p\o'eOaqf"-?gPc5'|C~UcL'; $stmt->prepare("UPDATE table SET salt = (?) WHERE id = 1"); $stmt->bind_param('s', $salt); $stmt->execute(); $stmt->close(); My question is pretty simple; if I pass the value of $salt (or anything that contains a quote, double quote, or backslash) into a MySQLi Prepared Statement, will it function properly and succeed in executing the query? Or, do I need to perform mysqli_real_escape_string on the variable in order to make it so the query can read it successfully? Thanks for any help, Mark Quote Link to comment https://forums.phpfreaks.com/topic/267304-mysqli-prepared-statements-passing-a-variable-question/ Share on other sites More sharing options...
jcbones Posted August 19, 2012 Share Posted August 19, 2012 The mysqli object handles all escaping internally. Being that you are passing the salt as a string, it will pass the variable (by reference) through the mysqli::real_escape_string() function. Quote Link to comment https://forums.phpfreaks.com/topic/267304-mysqli-prepared-statements-passing-a-variable-question/#findComment-1370660 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.