I want to eliminate sql injection, should I use mysqli_real_escape_string()
or is it clear in mysqli?
For example
$nick = mysqli_real_escape_string($_POST['nick'])
See Question&Answers more detail:osI want to eliminate sql injection, should I use mysqli_real_escape_string()
or is it clear in mysqli?
For example
$nick = mysqli_real_escape_string($_POST['nick'])
See Question&Answers more detail:osYou should use prepared statements and pass string data as a parameter but you should not escape it.
This example is taken from the documentation:
/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {
/* bind parameters for markers */
$stmt->bind_param("s", $city);
/* execute query */
$stmt->execute();
/* bind result variables */
$stmt->bind_result($district);
/* fetch value */
$stmt->fetch();
printf("%s is in district %s
", $city, $district);
/* close statement */
$stmt->close();
}
Note that the example does not call mysqli_real_escape_string
. You would only need to use mysqli_real_escape_string
if you were embedding the string directly in the query, but I would advise you to never do this. Always use parameters whenever possible.
Related