stackoom
  简体   繁体   中英

use mysqli_real_escape_string with prepared statement

 原文  2015-03-05 04:23:59       php/ mysqli

Question

I'm working on a PHP project with mysqli and need to retrieve the info from the user via $_POST , my problem is that I want to use prepared statements and mysqli->real_escape_string like this:

//$mysqli is the link to my database
if( isset($_POST['ID_name']) && isset($_POST['Nombre_name']) )
        {
//just in case magic_quotes_gpc is on
            $id = trim(htmlentities(mysqli_real_escape_string(stripslashes($mysqli,$_POST['ID_name']))));
            $nombre = trim(htmlentities(mysqli_real_escape_string(stripslashes($mysqli,$_POST['Nombre_name'])));  

//... more code validation but not reffered to my question...

$query="insert into empleado_php values(?,?)";

if(!($consulta=$mysqli->stmt_init())){
    echo"Error al crear la sentencia ingresar.php";
    exit();
    }
if(!($consulta->prepare($query))){
    echo"Error al prepara la consulta ingresar.php";
    exit();
    }
if(!($consulta->bind_param("ss", $id, $nombre))){
    echo"Error anexando parametros ingresar.php";
    exit();
}
if(!($consulta->execute())){
    echo "Error al ejecutar la consulta";
    echo"<br>";
    echo "Error ".$consulta->error. "con codigo  " .$consulta->errno;
    exit();
}
else{
    echo "Datos ingresados exitosamente !!!";
}
$consulta->close();
$mysqli->close();
?>

My question is: do I need to use mysqli_real_scape_string when using prepared statement? if yes, my code is good? could you give a better sample?

1 answers

solution1
 1  2015-03-05 04:27:07

From http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

Escaping and SQL injection Bound variables are sent to the server separately from the query and thus cannot interfere with it. The server uses these values directly at the point of execution, after the statement template is parsed. Bound parameters do not need to be escaped as they are never substituted into the query string directly. A hint must be provided to the server for the type of bound variable, to create an appropriate conversion. See the mysqli_stmt_bind_param() function for more information.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question mysqli_real_escape_string AND prepared statements? mysqli prepared statements and mysqli_real_escape_string How to use mysqli_real_escape_string()? mysqli_real_escape_string mysqli link? mySQLI - problem with mysqli_real_escape_string Correct use of mysqli_real_escape_string for insert,select and update statement - PHP/Oracle Use foreach and mysqli_real_escape_string for many post value how to correctly use mysqli_real_escape_string() Function in a query PHP and MySQL - correct way to use mysqli_real_escape_string What kinds of quotes to use with mysqli_real_escape_string?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM