Prepared Statements or mysqli->real_escape_string?
Posted: Thu May 15, 2008 10:51 am
So for the dreaded SQL injections.
I have been using a homemade function that strips GPC if its on and then runs the variable through mysqli->real_escape_string the "safe" variables are then placed directly into the sql statement - up until now.
But I have just read a great new book saying that prepared statements are the way.
Is this just matter of preference or is one better than the other?
Newbie to Php here, I have read and now understand loads but the questions that can be asked here cant be answered in books!
Cheers
I have been using a homemade function that strips GPC if its on and then runs the variable through mysqli->real_escape_string the "safe" variables are then placed directly into the sql statement - up until now.
But I have just read a great new book saying that prepared statements are the way.
Is this just matter of preference or is one better than the other?
Newbie to Php here, I have read and now understand loads but the questions that can be asked here cant be answered in books!
Cheers