should i still sanitise input with mysqli?

Question

I'm using mysqli prepared statements. Should I still sanitise the user input with some function like:

function sanitise($string){
  $string = strip_tags($string); // Remove HTML
  $string = htmlspecialchars($string); // Convert characters
  $string = trim(rtrim(ltrim($string))); // Remove spaces
  $string = mysql_real_escape_string($string); // Prevent SQL Injection
  return $string;
}

Thanks.

Answer 1

No! No and no. If you are already using prepared statements, MySQL needs to see the value, not some escaped version of it. If you add mysql_real_escape_string to a string and make that the value for a prepared statement, you have just junked it, for example, quotes get doubled up!

Now, as for sanitising data-wise, that's entirely up to the business rules as to what is or is not valid input. In your example, strip_tags is more about html->raw (format) conversion than sanitation. So is rtrim(ltrim - this is a business transformation.

Answer 2

Yes. When using prepared statements you are safe from mysql injections, but still there could be special characters, strip tags or spaces, so those you will still need to take care of those.

See PHP: Is mysql_real_escape_string sufficient for cleaning user input?

UPDATE:

You are safe from mysql injections so you should not use real_mysql_scape_string or scape any quotes.