Open CMahaff opened 10 years ago
MySQL Prepared statements are a better defense against SQL injection. Escaping the string does not stop all bad characters from getting through, as noted in the comments here:
http://php.net/manual/en/mysqli.real-escape-string.php
SQL prepared statements explanation:
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
MySQL Prepared statements are a better defense against SQL injection. Escaping the string does not stop all bad characters from getting through, as noted in the comments here:
http://php.net/manual/en/mysqli.real-escape-string.php
SQL prepared statements explanation:
http://php.net/manual/en/mysqli.quickstart.prepared-statements.php