thilakan Posted October 8, 2014 Share Posted October 8, 2014 PDO-Prepared Statements using mysqli_real_escape_string Is it a good Idea to use mysqli_real_escape_string for extra security In the Prepared Statements <?php try { require_once '../includes/pdo_connect.php'; $make = mysqli_real_escape_string($_GET['make']); $sql = 'SELECT * FROM cars WHERE make LIKE :make AND yearmade >= :yearmade AND price <= :price ORDER BY price'; $stmt = $db->prepare($sql); $stmt->bindValue(':make', '%' . $make . '%'); $stmt->bindParam(':yearmade', $_GET['yearmade'], PDO::PARAM_INT); $stmt->bindParam(':price', $_GET['price'], PDO::PARAM_INT); $stmt->execute(); $errorInfo = $stmt->errorInfo(); if (isset($errorInfo[2])) { $error = $errorInfo[2]; } } catch (Exception $e) { $error = $e->getMessage(); } Link to comment https://forums.phpfreaks.com/topic/291506-pdo-prepared-statements-using-mysqli_real_escape_string/ Share on other sites More sharing options...
Jacques1 Posted October 8, 2014 Share Posted October 8, 2014 No, it's not a good idea. It's actually plain wrong. What you need to understand is that the parameters of a prepared statement are treated as data. They're not processed by the SQL parser (that's the whole point). So if you have backslashes in your string, then you end up with literal backslashes. And that will certainly break your search function. You either use a prepared statement, or you manually escape the values. But you can't have both. Link to comment https://forums.phpfreaks.com/topic/291506-pdo-prepared-statements-using-mysqli_real_escape_string/#findComment-1493022 Share on other sites More sharing options...
thilakan Posted October 8, 2014 Author Share Posted October 8, 2014 Thank you for making it clear. Link to comment https://forums.phpfreaks.com/topic/291506-pdo-prepared-statements-using-mysqli_real_escape_string/#findComment-1493023 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.