Is mysql_real_escape_string() necessary when using prepared statements?

Question

For this query, is necessary to use mysql_real_escape_string?

Any improvement or the query is fine ?

$consulta = $_REQUEST[\"term\"].\"         


        

Answer 1

No, prepared queries (when used properly) will ensure data is properly escaped for safe querying. You are kind of using them properly, just need change one little thing. Because you are using the '?' placeholder, it is better to pass params through the execute method.

$sql->execute(array($consulta));

Just be careful if you're outputting that to your page, database sanitization does not mean it will be safe for display within HTML, so run htmlspecialchars() on it as well.