If I’m using prepare statements in mySQLi, would I still need to escape or

Question

0

Asked: May 27, 20262026-05-27T23:38:47+00:00 2026-05-27T23:38:47+00:00

If I’m using prepare statements in mySQLi, would I still need to escape or

0

If I’m using prepare statements in mySQLi, would I still need to escape or check user input in any way. So for example if I had the code:

$members = new mysqli("localhost", "user", "pass", "members");
$r_email = $_POST['r_email'];
$check = $members->prepare("select user_id from users where email = ?");
$check->bind_param('s', $r_email);
$check->execute();
$check->store_result();
if ($check->num_rows > 0) {
    echo "user already registered";
    $check->close();
}
$members->close();

Would I need to change $r_email = $_POST['r_email'] to $r_email = mysql_real_escape_string($_POST['r_email']);

Thanks.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-27T23:38:48+00:00

Editorial Team

2026-05-27T23:38:48+00:00Added an answer on May 27, 2026 at 11:38 pm

It’s not necessary to escape a value if you’re going to pass as a parameter. In fact, you should not, because you’ll insert literal backslashes into your data.

These must be part of the SQL query at prepare time, so the RDBMS can parse and validate them. or validate user input at form.

Always SQL-Escape data that you put in SQL sentences. Never SQL-Escape data outside SQL sentences.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

If I’m using prepare statements in mySQLi, would I still need to escape or

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply