1

I am using PHP Prepared Statements mysqli but i can't find below code 

mysqli_real_escape_string

How can i use above code in PHP Prepared Statements mysqli .* is it something like this ??

 $stmt->escape_string
Jay Blanchard
  • 33,530
  • 16
  • 73
  • 113
Mohammadali Mirhamed
  • 345
  • 4
  • 19

2 Answers2

2

Posting as a community wiki. I don't want rep for this.

There's no point in using both mysqli_real_escape_string() and a prepared statement.

It's one or the other.

Read the manual on using a MySQLi_ prepared statement:

Yet... you can use both, just not both together for the same instance.

  • Just stick to a prepared statement for them all and your world will be a better place.
Funk Forty Niner
  • 74,372
  • 15
  • 66
  • 132
2

Prepared queries (when used properly) will ensure data is properly escaped for safe querying so you dont need to use mysqli_real_escape_string at all. You are kind of using them properly, just need change one little thing. Because you are using the '?' placeholder, it is better to pass params through the execute method.

$sql->execute(array($test));

Just be careful if you're outputting that to your page, database sanitization does not mean it will be safe for display within HTML, so run htmlspecialchars() on it as well. Here is a link to this question here for prepared statements and real_escape_string

Community
  • 1
  • 1
Edison Biba
  • 4,134
  • 2
  • 12
  • 32