Answer the question
In order to leave comments, you need to log in
P
P
PO6OT2015-12-25 12:16:40
PO6OT, 2015-12-25 12:16:40
Why prepared statements? Why not shielding?
Why is input escaping preferred over prepared statements to protect against SQL injection?
Why is mysql_real_escape_string() not safe?
Apologies in advance for the pun - I'm not sure the meaning of the expression "preferring one over the other" is correct.
4 answer(s)
@neol
@alexey-m-ukolov
@skobkin
N
neol, 2015-12-25 @neol
Because shielding can be forgotten (and if something is possible, it will happen sooner or later).
There is no such problem with prepared statements.
PS Forget mysql_real_escape_string, it's gone. And in general, all mysql_* functions are no more.
A
Alexey Ukolov, 2015-12-25 @alexey-m-ukolov
The fact that this is a more logical step - you know exactly what query you want to execute, it is much more correct to make a template and fill it with data than to execute it anyhow.
A
Alexey Skobkin, 2015-12-25 @skobkin
They have different benefits. For example, you can use them for their intended purpose: prepare a query and substitute different values in a loop.
Well, all mysql_* functions are deprecated .
Similar questions
S
R
S
N
O
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question