Jump to content


Prepared Statement Arguments Does Not Need Sanitization?


  • Please log in to reply
1 reply to this topic

#1 masterlayouts


    Advanced Member

  • Members
  • PipPipPip
  • 64 posts

Posted 11 February 2012 - 3:24 PM

You mentioned prepared statements as an alternative to mysqli_real_escape_characters. Does this mean that we do not have to validate/sanitization of the user input if it goes to a prepared statement?

It is my understanding that mysqli_real_escape_characters escape database specific characters such as NUL (ASCII 0), \n, \r, \, ', ", and Control-Z (according to the PHP Manual). So it makes sense to use it instead of something simpler like addslashes(). It also does make sense to use other things like strip_tags() and htmlspecialchars() to avoid other kind of problems.

What is the deal with prepared statements? The PHP Manual says:
"The parameters to prepared statements don't need to be quoted; the driver automatically handles this. If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible)."

I am sorry, but I have some difficulties to put everything together. Can the developer be sure or not, it seems to me rather as a contradiction...
  • 0

#2 Jonathon


    Advanced Member

  • Members
  • PipPipPip
  • 1070 posts

Posted 11 February 2012 - 3:52 PM

prepared statements make the database handling escaping of data, I don't think it ever combines the whole SQL query, it keeps the variables separate (i think).
So you shouldn't use mysqli_real_escape_string with prepared statements or as Larry put it tome a while back

"For one, you don't need to do that when using prepared statements (which is to say, you shouldn't do that when using prepared statements)."
  • 0