I have the following code:
function dbPublish($status)
{
global $dbcon, $dbtable;
if(isset($_GET['itemId']))
{
$sqlQuery = 'UPDATE ' . $dbtable . ' SET active = ? WHERE id = ?';
$stmt = $dbcon->prepare($sqlQuery);
$stmt->bind_param('ii', $status, $_GET['itemId']);
$stmt->execute();
$stmt->close();
}
}
Do I need to mysql_real_escape_string in this case or am i okay?
Best Answer
No, you don't have to escape value yourself (i.e. no you don't need to call
mysqli_real_escape_string
), when you are using prepared statements : the DB engine will do that itself.(Actually, if you were calling
mysql_real_escape_string
and using bound parameters, your strings would get escaped twice -- which would not be great : you'd end up with escaping characters everywhere...)As a sidenote : your values are passed as integers (as indicated by the
'ii'
), so you wouldn't have to callmysql_real_escape_string
, even if you were not using prepared statements : as its name indicates, this function is used to escape... strings.For integers, I generally just use
intval
to make sure the data I inject into my SQL queries really are integers.(But, as you are using prepared queries, once again, you don't have to do that kind of escaping yourself)