Should I Use mysqli_real_escape_string With Prepared Statements in PHP?

DISCLAIMER: This post may contain “affiliate” links to products and services I recommend. I’ll receive a small commission if you decide to purchase one of these products or services. I only recommend products I genuinely believe will help you in running your freelance business.

Graham recently asked me:

Do I still need to used mysqli_real_escape_string when used prepared statements in PHP?

The simple answer is no.

The way it used to work is that you would take form input data, put that into a variable, and inject that data into your MySQL query in order to add that data to the database.

Now, a big problem with that is SQL Injection attacks where a hacker could inject SQL code into your query and perform actions on your database… which is something you definitely don’t want.

So, the standard solution became using mysql_real_escape_string to sanitize data before sending to the database.

Of course, that’s not the preferred solution anymore. Prepared statements are:

But, with PHP5, the PHP developers built an entire class into PHP for working MySQL. With that class, there are now prepared statements in PHP… and prepared statements allow you to “bind” data to a query using sprintf-like syntax… rather than “inject” your data into those queries.

And, with this new system, the methods that bind the data to your query do the sanitizing for you. So, mysqli_real_escape_string is no longer necessary WHEN you bind values this way.

Of course, if you have some other way you’re injecting input data into your queries, you still need to sanitize that data… and mysqli_real_escape_string is still the main method for doing that.

You might also like

Do you want more freelance clients?

I’ll show you what I learned over the last 15 years to grind out (from absolute scratch) a backlog of new clients wanting to hire you. Who your best client prospect are, what services you should be offering them, where to find them and more. Just enter your email address in the box below and let’s get started:

Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on reddit
Reddit
Share on pinterest
Pinterest
John Morris

JOHN MORRIS

I’m a 15-year veteran of freelance web development. I’ve worked with bestselling authors and average Joe’s next door. These days, I focus on helping other freelancers build their freelance business and their lifestyles.

This Post Has 8 Comments

  1. AWESOME insight.

  2. Hi! john great job, you have shown how to connect , create data in database, and i really learn a lot, by the way can you post edit and delete database content also?

  3. Do you use any PHP frameworks in your production sites?

    1. Not technically. I work primarily within WordPress, so there’s a code base there, but not an actual framework.

  4. hello Mr. Morris,

    I’m little confused about where to use static methods in php and why ?? without Instiating classes.where it’s fits perfactly. advantages and disadvantages . please help me to understand it compleatly . Thanks 🙂

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Do you want more freelance clients?

Enter your email below to get started building your system for consistently bringing in new freelance clients:

WHAT OTHERS ARE SAYING

Sukh Plaha

John is a fantastic and patient tutor, who is not just able to share knowledge and communicate it very effectively – but able to support one in applying it. However, I believe that John has a very rare ability to go further than just imparting knowledge and showing one how to apply it. He is able to innately provoke one’s curiosity when explaining and demonstrating concepts, to the extent that one can explore and unravel their own learning journey. Thanks very much John!

Lewis Howes

John is amazing at building membership sites. He converted one of my sites over from it’s existing (hardly working) platform over to the clean and simple to use WishList membership platform. I highly recommend using John and WishList for any of your membership site needs.

Chris Aitken

He significantly improved my site through his expert knowledge of PHP, CSS and Javascript. Would definitely recommend John to others.

Lori Grant

John did an outstanding job on my project. I highly recommend him and look forward to working with him on future projects.

Daniel Mohlendick

On the Freelancing on Upwork course: “This is by far the best course i have watched on Skillshare!! Thank you so much.”

Thabo Motsoahae

John is one of the best instructors I have come across, I learned a lot from his online tutorials.

Xan Barksdale

Xan Barksdale

Very professional worker who is extremely knowledgable in WordPress and Wishlist Member. I would definitely hire again.

Close Menu