Do mysqli_stmt::bind_param uses from mysqli::real_escape_string implicitly? Or we must do it manually?
Asked
Active
Viewed 224 times
1 Answers
1
Neither mysqli_stmt::bind_param does mysqli::real_escape_string implicitly, nor you have to do it manually.
First, escaping is not a synonym for safety. While binding is.
So, it's incomparable matters.
Please refer to my earlier answer for the explanation: Properly Escaping with MySQLI | query over prepared statements
Next, bind_param doesn't use escaping anyway - it's different mechanism
Please refer to another my answer with full explanation: How prepared statements can protect from SQL injection attacks?
Community
- 1
- 1
Your Common Sense
- 154,967
- 38
- 205
- 325