Until now i’ve been using prepared statements together with real_escape_string when handling input from

Question

0

Asked: June 18, 20262026-06-18T12:07:51+00:00 2026-06-18T12:07:51+00:00

Until now i’ve been using prepared statements together with real_escape_string when handling input from

0

Until now i’ve been using prepared statements together with real_escape_string when handling input from HTML forms. Example:

$var1 = $dbconnection->real_escape_string($_POST['varFromForm']); 

if ($insert = $dbconnection->prepare("INSERT etc.. ")) {
    $insert->bind_param('s', $var1);
    and so on..

Although, this messed up the formatting when displaying the stored data by outputting \r\n when new line breaks were used in the textarea of input. This because of it apparently escaped the input twice.

So i want to make sure that i haven’t misunderstood the deal with prepared statements and that this following code IS safe from SQL-injections by using prepared statements without the escaping?

$var1 = $_POST['varFromForm'];

if ($insert = $dbconnection->prepare("INSERT etc.. ")) {
    $insert->bind_param('s', $var1);
    and so on..

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-18T12:07:52+00:00

Editorial Team

2026-06-18T12:07:52+00:00Added an answer on June 18, 2026 at 12:07 pm

The sql query execution plan of a prepared statement can’t be changed by the parameters, the parameters only can be inserted. So you don’t need to escape variables.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Until now i’ve been using prepared statements together with real_escape_string when handling input from

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply