For database security do I need to do BOTH binding parameters in a prepared statement AND mysql_real_escape_string() on the input?
Thanks!
1
-
No! Bind parameters automatically escape quotes in strings, that's their purpose: so don't do it yourself unless you want erroneous escape characters in the saved valuesMark Baker– Mark Baker2013-03-04 23:44:06 +00:00Commented Mar 4, 2013 at 23:44
Add a comment
|
1 Answer
No, parameterised queries are fine on their own. As long as you keep all variable data in parameters, passed separately from the query, they can be picked up without any escape/unescape handling.
You shouldn't blanket-escape at the input phase in general - you don't know what kinds of escape (SQL, HTML, JS, ...) you're going to need until the point you actually inject a value into one of those string contexts. Applying all kinds of escapes over all input data will only lead to mangled and inconsistent input handling.
