Is this a good way to prevent SQL injection before running a database query?

Question

0

Asked: May 30, 20262026-05-30T04:39:24+00:00 2026-05-30T04:39:24+00:00

Is this a good way to prevent SQL injection before running a database query?

0

Is this a good way to prevent SQL injection before running a database query?

$name = mysql_real_escape_string(stripslashes($name));
$age = mysql_real_escape_string(stripslashes($age));
$location = mysql_real_escape_string(stripslashes($location));

Thanks in advance!

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-30T04:39:26+00:00

This answers it well:

mysql_real_escape_string() versus Prepared Statements by Ilia Alshanetsky

So what can you do? The solution is to use prepared statements, which
are supported by nearly all PHP database extensions with the notable
exceptions of MySQL (ext/mysql) and SQLite2 (ext/sqlite). So, to be on
the safe side, I’d recommend using the PDO interface to talks with
those databases or in the case of MySQL using the newer MySQLi
(ext/mysqli) extension. Those interfaces provide prepared statement
support, which allows for separation between query structure and the
query parameters.

So to be on safer side, don’t rely on mysql_real_escape_string alone, using prepared statements is much better.

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Is this a good way to prevent SQL injection before running a database query?

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply