Skip to main content

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

7
  • 2
    using mysql_real_escape_string is enough or i must use parameterized too?
    – peiman F.
    Commented Mar 8, 2018 at 21:29
  • 10
    @peimanF. keep a good practice of using parametrized queries, even on a local project. With parametrized queries you are guaranteed that there will not be SQL injection. But keep in mind you should sanitize the data to avoid bogus retrieval (i.e. XSS injection, such as putting HTML code in a text) with htmlentities for example
    – Goufalite
    Commented Mar 9, 2018 at 8:02
  • 3
    @peimanF. Good practise to parametrized queries and bind values, but real escape string is good for now
    – Richard
    Commented Apr 4, 2018 at 18:03
  • I understand the inclusion of mysql_real_escape_string() for completeness, but am not a fan of listing the most error-prone approach first. The reader might just quickly grab the first example. Good thing it's deprecated now :)
    – Steen Schütt
    Commented Dec 5, 2018 at 0:13
  • 5
    @SteenSchütt - All the mysql_* functions are deprecated. They were replaced by similar mysqli_* functions, such as mysqli_real_escape_string.
    – Rick James
    Commented Dec 1, 2019 at 1:21