Prepared Statements, escape variables

Question

Do I need to do anything to protect the three variables, like using the escape string or binding them? I\'m not sure if I did this correctly, people just recommended using prepa

Answer 1

You definitely DO need to protect them - otherwise, someone might put in a heading of "AMADANON's Heading" - and the apostrophe will look to the database as a close-quote. This is an inadvertant example, there will also be people trying to attack your database.

The recommended(1) way to do this is to use parameters. use VALUES(?,?,?), then when calling execute, pass the variables in there.

For more information, Read the PHP manual, check out the examples

I don't like bound variables, it's too difficult to see what happens where.

This also means you can prepare a cursor (with a SQL statement) once, then use it many times with different parameters.

Escape is acceptable, but I don't see where it adds any benefit, and parameters are clearer.

(1) by me