thilakan Posted October 8, 2014 Share Posted October 8, 2014 PDO-Prepared Statements using mysqli_real_escape_string Is it a good Idea to use mysqli_real_escape_string for extra security In the Prepared Statements <?php try { require_once '../includes/pdo_connect.php'; $make = mysqli_real_escape_string($_GET['make']); $sql = 'SELECT * FROM cars WHERE make LIKE :make AND yearmade >= :yearmade AND price <= :price ORDER BY price'; $stmt = $db->prepare($sql); $stmt->bindValue(':make', '%' . $make . '%'); $stmt->bindParam(':yearmade', $_GET['yearmade'], PDO::PARAM_INT); $stmt->bindParam(':price', $_GET['price'], PDO::PARAM_INT); $stmt->execute(); $errorInfo = $stmt->errorInfo(); if (isset($errorInfo[2])) { $error = $errorInfo[2]; } } catch (Exception $e) { $error = $e->getMessage(); } Quote Link to comment https://forums.phpfreaks.com/topic/291506-pdo-prepared-statements-using-mysqli_real_escape_string/ Share on other sites More sharing options...
Solution Jacques1 Posted October 8, 2014 Solution Share Posted October 8, 2014 No, it's not a good idea. It's actually plain wrong. What you need to understand is that the parameters of a prepared statement are treated as data. They're not processed by the SQL parser (that's the whole point). So if you have backslashes in your string, then you end up with literal backslashes. And that will certainly break your search function. You either use a prepared statement, or you manually escape the values. But you can't have both. Quote Link to comment https://forums.phpfreaks.com/topic/291506-pdo-prepared-statements-using-mysqli_real_escape_string/#findComment-1493022 Share on other sites More sharing options...
thilakan Posted October 8, 2014 Author Share Posted October 8, 2014 Thank you for making it clear. Quote Link to comment https://forums.phpfreaks.com/topic/291506-pdo-prepared-statements-using-mysqli_real_escape_string/#findComment-1493023 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.