Msg#: 3765046 posted 12:55 am on Oct 14, 2008 (gmt 0)
Do prepared statements offer more security than using real_escape_string with mysqli?
$id = $mysqli->real_escape_string($id); $sql = "SELECT * FROM table WHERE id = $id " etc. etc.
prepared statement: $sql = "SELECT * FROM table WHERE id = ? " etc. etc.
I have started using prepared statements, but they are much harder for me to debug when things go wrong. Before I could simply output the actual sql statement to see the exact query that was causing the problem. I can't find a way to do this with prepared statements (since I only get back the statement with the '?' placeholders, and I can't see what actually is within the placeholders).
So, aside from performance aspects where prepared statements can be faster for multiple queries using the same statement, does anyone know if there is more security with prepared statements or is using the real escape string on variables going into the sql basically providing the same level of security?