We've all read about protecting from SQL injection attacks: How Can I Prevent SQL Injection in PHP, SQL Injection Attacks, PHP: mysqli_real_escape_string, How to prevent code injection attacks in PHP as well as many others concerning the "debate" of php - mysql_real_escape_string vs addslashes.
However, I'm curious about the proper way to protect my SQL statements when utilizing a function on data before passing it to the database. Must I addslashes()
and mysqli_real_escape_string()
the values before passing them to a function such as crypt()
which then would be used in a prepared statement, utilizing bind_param()
? Can I forego the addslashes()
and mysqli_real_escape_string()
because the value eventually goes into a prepared statement?