stackoom
  简体   繁体   中英

Is mysql_real_escape_string() necessary when using prepared statements?

 原文  2011-06-03 20:06:06       php/ mysql/ mysqli/ prepared-statement

Question

For this query, is necessary to use mysql_real_escape_string ?

Any improvement or the query is fine?

$consulta = $_REQUEST["term"]."%";

($sql = $db->prepare('select location from location_job where location like ?'));

$sql->bind_param('s', $consulta);
$sql->execute();
$sql->bind_result($location);

$data = array();

while ($sql->fetch()) {
    $data[] = array('label' => $location);
}

The query speed is important in this case.

1 answers

solution1
 24 ACCPTED  2011-06-03 20:09:42

No, prepared queries (when used properly) will ensure data cannot change your SQL query and provide safe querying. You are using them properly, but you could make just one little change. Because you are using the '?' placeholder, it is easier to pass params through the execute method.

$sql->execute([$consulta]);

Just be careful if you're outputting that to your page, SQL parameter binding does not mean it will be safe for display within HTML, so run htmlspecialchars() on it as well when outputting.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Concrete example of where mysql_real_escape_string fails and Prepared Statements are necessary PHP changing from mysql_real_escape_string to PDO prepared statements Is it necessary to use mysql_real_escape_string() for image into mysql? Access denied error when using mysql_real_escape_string() More slashes when using mysql_real_escape_string When to use mysql_real_escape_string() When mysql_real_escape_string() is needed? Is mysql_real_escape_string necessary if there are no user inputs? Using mysql_real_escape_string in IN clause Speed of using mysql_real_escape_string
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM