Welcome to WebmasterWorld Guest from 188.8.131.52
$id = $mysqli->real_escape_string($id);
$sql = "SELECT * FROM table WHERE id = $id "
$sql = "SELECT * FROM table WHERE id = ? "
I have started using prepared statements, but they are much harder for me to debug when things go wrong. Before I could simply output the actual sql statement to see the exact query that was causing the problem. I can't find a way to do this with prepared statements (since I only get back the statement with the '?' placeholders, and I can't see what actually is within the placeholders).
So, aside from performance aspects where prepared statements can be faster for multiple queries using the same statement, does anyone know if there is more security with prepared statements or is using the real escape string on variables going into the sql basically providing the same level of security?