mysqli prepared statements

kterry

I have a quick question about prepared statements with the mysqli ext.

Should I still use the mysqli_real_escape_string function when sanitizing data?

I hear prepared statements will escape everything for you and pretty much prepare the statement for safe use in mysql.

NogDog

If you use prepared statements with [man]mysqli_prepare/man, then values defined as bound parameters via [man]mysqli_bind_param/man do not need to be escaped. However, if you just use mysqli_query(), then you still need to escape values which may be prone to SQL injection issues like you would with mysql_query().