Is mysql_real_escape_string() necessary when using prepared statements?

by

No, prepared queries (when used properly) will ensure data cannot change your SQL query and provide safe querying. You are using them properly, but you could make just one little change. Because you are using the ‘?’ placeholder, it is easier to pass params through the execute method.

$sql->execute([$consulta]);

Just be careful if you’re outputting that to your page, SQL parameter binding does not mean it will be safe for display within HTML, so run htmlspecialchars() on it as well when outputting.

More Related Contents:

  1. mysqli_stmt::bind_result(): Number of bind variables doesn’t match number of fields in prepared statement
  2. How to use mysqli prepared statements?
  3. MySQLi prepared statements error reporting [duplicate]
  4. Example of how to use bind_result vs get_result
  5. mysqli: can it prepare multiple queries in one statement?
  6. mysqli_stmt::bind_param(): Number of elements in type definition string doesn’t match number of bind variables
  7. using nulls in a mysqli prepared statement
  8. How to prepare statement for update query? [duplicate]
  9. Using Prepared Statement, how I return the id of the inserted row?
  10. Commands out of sync; you can’t run this command now
  11. SELECT COUNT(*) AS count – How to use this count
  12. Why is using a mysql prepared statement more secure than using the common escape functions?
  13. Call to a member function execute() on boolean in [duplicate]
  14. Mysql No connection could be made because the target machine actively refused it
  15. How can I Use Prepared Statements in CodeIgniter
  16. Replacing mysql_* functions with PDO and prepared statements
  17. PDOstatement (MySQL): inserting value 0 into a bit(1) field results in 1 written in table
  18. How to connect to MySQL database in PHP using mysqli extension?
  19. mySQLi prepared statement unable to get_result()
  20. When *not* to use prepared statements?
  21. Fatal error: Uncaught exception ‘mysqli_sql_exception’ with message ‘No index used in query/prepared statement’
  22. Fatal error: Call to undefined function mysqli_result()
  23. Fatal error: Call to undefined method mysqli_stmt::fetch_array() [duplicate]
  24. Using wildcards in prepared statement
  25. Which is fastest in PHP- MySQL or MySQLi?
  26. mysqli persistent connection
  27. Create mysql trigger via PHP?
  28. How to make mysqli connect function?
  29. Dynamically bind mysqli_stmt parameters and then bind result
  30. Check to see if an email is already in the database using prepared statements

Leave a Comment