Do I need to escape data to protect against SQL injection when using bind_param() on MySQLi?

烂漫一生 提交于 2019-12-01 04:27:30

No, you do not need to escape data to protect against SQL injection when binding parameters.

This does not absolve you from validating said data though.

When binding parameters, there is no escaping performed (internally or otherwise). An SQL statement is prepared with parameter placeholders and values for these are passed at execution time.

The database knows what parameters are and treats them accordingly as opposed to SQL value interpolation.

No.

To quote this

http://mysql.lamphost.net/tech-resources/articles/4.1/prepared-statements.html

"Normally when you are dealing with an ad hoc query, you need to be very careful when handling the data that you received from the user. This entails using functions that escape all of the necessary trouble characters, such as the single quote, double quote, and backslash characters. This is unnecessary when dealing with prepared statements. The separation of the data allows MySQL to automatically take into account these characters and they do not need to be escaped using any special function."

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!