MySQL. What is the function difference?

N

Nikolay Matyushkin2018-04-12 15:49:24

PHP

Nikolay Matyushkin, 2018-04-12 15:49:24

Hello. I am new to PHP+SQL (in my case MySQL).
Actually, there is a mechanism to add data from forms to the database, and in this mechanism I use the mysqli_real_scape_string function for all user input, against possible sql injections. But recently I was told that it is more profitable in the same mechanism to use the mysqli_stmt_bind_param variable binding function. And so, and so the code works, but it’s not clear to me which function is more useful, maybe there are some pitfalls.
The question was formulated as best he could. Thanks in advance for your replies.

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

M

metallix, 2018-04-12
@metallix

bind_param. Better yet - PDO

I

Ivan, 2018-04-12
@LiguidCool

maybe there are some pitfalls

There is. Use PDO or better ORM (Eloquent for example).

O

Oleg, 2018-04-12
@402d

It is useful to understand, and in real work to use existing approaches to working with the database at a higher
level. Choose a framework to your taste or ready-made classes.
And it will be like this.
$data_model->insert($new_record);

P

Prince of Denmark, 2018-04-13
@pezdatskiy

There is a cool SafeMySql library, I have been using it in the project for three years now. Much less trouble and everything is ok with security.

F

FanatPHP, 2018-05-15
@FanatPHP

The difference is very simple.
The mysqli_real_scape_string function is not intended to protect against possible sql injections. And to use it in this capacity is a direct way to get an injection.
While one of the purposes of the mysqli_stmt_bind_param function is to prevent sql injections, therefore, it can and should be used for this purpose.