I am in the process of creating a reply ticket system, and came across this. Since I'm usingmysqli_real_escape_string, it's adding backslashes to the reply text. Since I'm using prepared statements and bind_param, is it safe to remove the mysqli escape string? or will that open it up for SQL injection? Thanks!!
Asked
Active
Viewed 47 times
1
Frits
- 6,763
- 10
- 44
- 56
-
Sorry, didn't know if that applied, I'll take a look! Thank you! – Sep 23 '16 at 16:04
-
1If you're (properly) using prepared statements, then you DON'T escape. That essentially double-escapes the data. – Marc B Sep 23 '16 at 16:06
1 Answers
0
Simple answer, no. SQL injection involves inputting strings that are used as part of the SQL control itself rather than values for a part of the query. By parameterizing the query, you essentially cordon off the variable, which covers the cases protected by *_escape_string calls and is more secure.
Steve
- 756
- 6
- 13