Question:
Is it necessary to use the mysql_real_escape_string() function when utilizing prepared statements for database queries?
Context:
The provided code demonstrates a prepared statement query using the mysqli library. However, it currently uses the mysql_real_escape_string() function to sanitize the user input.
<code class="php">$consulta = $_REQUEST["term"]."%";
($sql = $db->prepare('select location from location_job where location like ?'));
$sql->bind_param('s', $consulta);
$sql->execute();</code>Answer:
No, prepared statements provide inherent protection against SQL injection and data manipulation when used properly. They automatically sanitize input, making mysql_real_escape_string() redundant.
Improvement:
While the query is using prepared statements correctly, a minor modification can improve its efficiency. Instead of using the bind_param() method, the execute() method can be used to pass parameters directly.
<code class="php">$sql->execute([$consulta]);</code>
Additional Note:
Although prepared statements protect against SQL injection, they do not ensure the safety of data when outputting it to the page. To prevent potential cross-site scripting (XSS) attacks, it's recommended to use htmlspecialchars() to HTML-encode any data before outputting it to the browser.
The above is the detailed content of Do Prepared Statements Need `mysql_real_escape_string()` for Security?. For more information, please follow other related articles on the PHP Chinese website!
How do I set up WeChat to require my consent when people add me to a group?
HOW TO INSTALL LINUX
What are the advantages of SpringBoot framework?
python environment variable configuration
How to set font color in html
How to change the cad layout from white to black
C language to find the least common multiple
sort function python usage
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
