I’m using prepared statements and MySQLi with my queries to protect against injection attacks.

Question

0

Asked: May 17, 20262026-05-17T06:49:24+00:00 2026-05-17T06:49:24+00:00

I’m using prepared statements and MySQLi with my queries to protect against injection attacks.

0

I’m using prepared statements and MySQLi with my queries to protect against injection attacks. Would prepared statements remove the need for mysql_real_escape_string entirely? Is there anything else I should consider when securing my site?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-17T06:49:27+00:00

As long as you’re using the prepared statements correctly they will. You have to make sure you’re binding all the external variables and not putting them directly in the query.

For example

$stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=" . $name);

This statement is being prepared, but it doesn’t use one of the bind methods so it does no good. It is still vulnerable to SQL injection.

To fix that make sure to bind everything…

$stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {
$stmt->bind_param("s", $city);

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I’m using prepared statements and MySQLi with my queries to protect against injection attacks.

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply