As the title says, do I have to escape user input when using bind_param() or is that done internally?
Thank you.
No, you do not need to escape data to protect against SQL injection when binding parameters.
This does not absolve you from validating said data though.
When binding parameters, there is no escaping performed (internally or otherwise). An SQL statement is prepared with parameter placeholders and values for these are passed at execution time.
The database knows what parameters are and treats them accordingly as opposed to SQL value interpolation.
No.
To quote this
http://mysql.lamphost.net/tech-resources/articles/4.1/prepared-statements.html
"Normally when you are dealing with an ad hoc query, you need to be very careful when handling the data that you received from the user. This entails using functions that escape all of the necessary trouble characters, such as the single quote, double quote, and backslash characters. This is unnecessary when dealing with prepared statements. The separation of the data allows MySQL to automatically take into account these characters and they do not need to be escaped using any special function."
来源:https://stackoverflow.com/questions/7409553/do-i-need-to-escape-data-to-protect-against-sql-injection-when-using-bind-param