Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Prepared statements vs. real escape string

security implications

12:55 am on Oct 14, 2008 (gmt 0)

Full Member

10+ Year Member

joined:Jan 5, 2004
posts: 202
votes: 0

Do prepared statements offer more security than using real_escape_string with mysqli?

For example:


$id = $mysqli->real_escape_string($id);
$sql = "SELECT * FROM table WHERE id = $id "
etc. etc.

prepared statement:
$sql = "SELECT * FROM table WHERE id = ? "
etc. etc.

I have started using prepared statements, but they are much harder for me to debug when things go wrong. Before I could simply output the actual sql statement to see the exact query that was causing the problem. I can't find a way to do this with prepared statements (since I only get back the statement with the '?' placeholders, and I can't see what actually is within the placeholders).

So, aside from performance aspects where prepared statements can be faster for multiple queries using the same statement, does anyone know if there is more security with prepared statements or is using the real escape string on variables going into the sql basically providing the same level of security?

7:38 pm on Oct 26, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member eelixduppy is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 12, 2005
votes: 0

As far as security goes, as long as both are used correctly, then they should both offer enough security to prevent from SQL injections.
3:10 pm on Oct 27, 2008 (gmt 0)

Full Member

10+ Year Member

joined:Feb 24, 2005
votes: 0

As far as I am aware, the only big difference is that prepared statements force you to be more secure, while manual query building can create exploits, as all it would take is missing 1 escape.

On another note, I believe preparing statements increases speed?