Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Do I need to escape data to protect against SQL injection when using bind_param() on MySQLi?

Tags:

php

mysqli

sqlbindparameter

As the title says, do I have to escape user input when using bind_param() or is that done internally?

Thank you.

like image 989
Francisc Avatar asked Sep 13 '11 23:09

Francisc

1 Answers

No, you do not need to escape data to protect against SQL injection when binding parameters.

This does not absolve you from validating said data though.

When binding parameters, there is no escaping performed (internally or otherwise). An SQL statement is prepared with parameter placeholders and values for these are passed at execution time.

The database knows what parameters are and treats them accordingly as opposed to SQL value interpolation.

like image 162
Phil Avatar answered Sep 28 '22 01:09

Phil
Sign in to Comment

Related questions

PHP die() vs. echo
pdo fetch object?
how to check for unused variables/functions in class
What's the equivalent of php time() in mssql?
PHP - retrieve first element of json string without converting to array
Dynamically populating a static variable in PHP
What is PHP's each() function useful for?
Storing javascript Date() in mySQL
Regular expression for length only - any characters
How to Implement A Recommendation System?
how to match value in PHP array and then find key value?
Get all objects of a particular class
Add days to current date from MySQL with PHP
CodeIgniter - Blank page on database autoload
How to find position of a character in a string in PHP
conditionally add blocks in magento layout
Dynamic PHP content, storing it and executing daily rather than every page load?
Why does strtotime give different result in different timezone?
Cron jobs in codeigniter
PHP Get Cookies From Header String

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!