Do I have to use mysql_real_escape_string if I bind parameters?

Question

I have the following code:

function dbPublish($status)
{
 global $dbcon, $dbtable;

 if(isset($_GET['itemId']))
 {
  $sqlQuery = 'UPDATE ' . $dbtable . ' SET active = ? WHERE id = ?';
  $stmt = $dbcon->prepare($sqlQuery);
  $stmt->bind_param('ii', $status, $_GET['itemId']);
  $stmt->execute();
  $stmt->close();
 }
}

Do I need to mysql_real_escape_string in this case or am i okay?

Answer 1

No, you don't have to escape value yourself (i.e. no you don't need to call mysqli_real_escape_string), when you are using prepared statements : the DB engine will do that itself.

(Actually, if you were calling mysql_real_escape_string and using bound parameters, your strings would get escaped twice -- which would not be great : you'd end up with escaping characters everywhere...)

As a sidenote : your values are passed as integers (as indicated by the 'ii'), so you wouldn't have to call mysql_real_escape_string, even if you were not using prepared statements : as its name indicates, this function is used to escape... strings.

For integers, I generally just use intval to make sure the data I inject into my SQL queries really are integers.

(But, as you are using prepared queries, once again, you don't have to do that kind of escaping yourself)

Answer 2

No, you must not. Combining the two would result in visible escape characters showing up in your data.