PDO-Prepared Statements using mysqli_real_escape_string

[thilakan]

 PDO-Prepared Statements using mysqli_real_escape_string

Is it a good Idea to use mysqli_real_escape_string  for extra  security  In the Prepared Statements

<?php

	try {
      
	  require_once '../includes/pdo_connect.php';
      $make = mysqli_real_escape_string($_GET['make']);
      $sql = 'SELECT *
                FROM cars
                WHERE make LIKE :make AND yearmade >= :yearmade AND price <= :price
                ORDER BY price';
        $stmt = $db->prepare($sql);
        $stmt->bindValue(':make', '%' . $make . '%');
        $stmt->bindParam(':yearmade', $_GET['yearmade'], PDO::PARAM_INT);
        $stmt->bindParam(':price', $_GET['price'], PDO::PARAM_INT);
        $stmt->execute();
        $errorInfo = $stmt->errorInfo();
        if (isset($errorInfo[2])) {
            $error = $errorInfo[2];
        }
    } catch (Exception $e) {
        $error = $e->getMessage();
    }

[Jacques1]

No, it's not a good idea. It's actually plain wrong.

 

What you need to understand is that the parameters of a prepared statement are treated as data. They're not processed by the SQL parser (that's the whole point). So if you have backslashes in your string, then you end up with literal backslashes. And that will certainly break your search function.

 

You either use a prepared statement, or you manually escape the values. But you can't have both.

[thilakan]

Thank you for making it clear.