PHP / mySQL预备语句

Question

Is the below php code vulnerable to SQL injection, or is it sufficiently secure as written? Also:

1. Should I apply mysql_real_escape_string() to the values passed by the user (or attempt to neuter them in any other way)...?
2. Should I be using php_flag magic_quotes off ...?

3. Should I be using php_value magic_quotes_gpc 0 ...?

    $mysqli = new mysqli($server_name, $db_username, $db_password, $db_name); $sql = "SELECT * FROM tbl_users WHERE username=? AND password=?"; $username = $_POST['username']; $password = $_POST['password']; $stmt = $mysqli->prepare($sql); $stmt->bind_param('ss',$username,$password)) { $stmt->execute(); 

Answer 1

Because the query is being prepared SQL injection is impossible. But this doesn't mean that prepared statement are 100% safe. Personally I prefer PDO. Just have a look at it.

Answer 2

没有什么是绝对安全的，但是由于您正在使用Mysqli并且已经做好了准备，所以应该没事