Do I need to avoid data to protect against SQL injection when using bind_param () in MySQLi?

Question

Do I need to avoid data to protect against SQL injection when using bind_param () in MySQLi?

As the title says, do I need to avoid user input when using bind_param () or is this done internally?

Thank.

+5

php mysqli

Francisc Sep 13 '11 at 23:04

source share

2 answers

.

http://mysql.lamphost.net/tech-resources/articles/4.1/prepared-statements.html

", , , . , , , . . MySQL , , .

+5

Mob 13 . '11 23:14

Phil · Accepted Answer · 2011-09-13T23:13:27+0000

No, you do not need to avoid data to protect against SQL injection when binding parameters.

This does not exempt you from data verification.

When binding parameters, shielding is not performed (internally or otherwise). The SQL statement is prepared using parameter placeholders, and the values for them are passed at run time.

The database knows which parameters and processes them accordingly, in contrast to the interpolation of SQL values.

Do I need to avoid data to protect against SQL injection when using bind_param () in MySQLi?

More articles: