Home/ Questions/Q 9040405
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T09:58:25+00:00

I want to eliminate sql injection, should I use mysqli_real_escape_string() or is it clear

  • 0

I want to eliminate sql injection, should I use mysqli_real_escape_string() or is it clear in mysqli?
For example

$nick = mysqli_real_escape_string($_POST['nick'])
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You should use prepared statements and pass string data as a parameter but you should not escape it.

    This example is taken from the documentation:

    /* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {

    /* bind parameters for markers */
    $stmt->bind_param("s", $city);

    /* execute query */
    $stmt->execute();

    /* bind result variables */
    $stmt->bind_result($district);

    /* fetch value */
    $stmt->fetch();

    printf("%s is in district %s\n", $city, $district);

    /* close statement */
    $stmt->close();
}

    Note that the example does not call mysqli_real_escape_string. You would only need to use mysqli_real_escape_string if you were embedding the string directly in the query, but I would advise you to never do this. Always use parameters whenever possible.

    Related

    • 0