Menu
Should I use mysqli_real_escape_string or should I use prepared statements?
I've seen a tutorial now explaining prepared statements but I've seen them do the same thing as mysqli_real_escape_string but it uses more lines
Are there any benefits for prepared statements? What do you think is the best method to use?
499
You should use real_escape_string on any parameter you're mixing as a string literal into the sql statement. And only on those string literal values.
This extension was deprecated in PHP 5.5. 0, and it was removed in PHP 7.0.
PHP provides mysql_real_escape_string() to escape special characters in a string before sending a query to MySQL. This function was adopted by many to escape single quotes in strings and by the same occasion prevent SQL injection attacks. However, it can create serious security flaws when it is not used correctly.
The mysqli_real_escape_string() function is used to escape characters in a string, making it legal to use in an SQL statement.
Prepared statements only. Because nowhere escaping is the same thing. In fact, escaping has absolutely nothing to do with whatever injections, and shouldn't be used for protection.
While prepared statements offer the 100% security when applicable.
168
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
