{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 看我几分像从前 的问题《Should I use mysqli_real_escape_string or should I》','https://www.manongdao.com/q-332004.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
This question already has an answer here:
- How can I prevent SQL injection in PHP? 28 answers
Should I use mysqli_real_escape_string or should I use prepared statements?
I've seen a tutorial now explaining prepared statements but I've seen them do the same thing as mysqli_real_escape_string but it uses more lines
Are there any benefits for prepared statements? What do you think is the best method to use?
Use
prepared statementsbecause after using this you doesn't have to usemysqli_real_escape_string.prepared statementsdoing this as by default.Prepared statements only. Because nowhere escaping is the same thing. In fact, escaping has absolutely nothing to do with whatever injections, and shouldn't be used for protection.
While prepared statements offer the 100% security when applicable.
It's very easy to forget (maybe not for you, but other developers you work with) to escape whereas it's very hard to use prepared statements incorrectly to cause a vulnerability. So prepared statements.