0

We've all read about protecting from SQL injection attacks: How Can I Prevent SQL Injection in PHP, SQL Injection Attacks, PHP: mysqli_real_escape_string, How to prevent code injection attacks in PHP as well as many others concerning the "debate" of php - mysql_real_escape_string vs addslashes.

However, I'm curious about the proper way to protect my SQL statements when utilizing a function on data before passing it to the database. Must I addslashes() and mysqli_real_escape_string() the values before passing them to a function such as crypt() which then would be used in a prepared statement, utilizing bind_param()? Can I forego the addslashes() and mysqli_real_escape_string() because the value eventually goes into a prepared statement?

Community
  • 1
  • 1
redhotspike
  • 1,018
  • 5
  • 17
  • 37
  • 1
    _Can I forego the addslashes() and mysqli_real_escape_string() because the value eventually goes into a prepared statement?_ YES and is the way you should be doing it. – AbraCadaver May 25 '16 at 17:37
  • Agreed - http://stackoverflow.com/a/36628423/1301332 answers my question. Mark as duplicate – redhotspike May 25 '16 at 17:41

1 Answers1

0

There is no difference which particular kind of data is going to database or what was the treatment for it. For the SQL query the process should be all the same

Your Common Sense
  • 152,517
  • 33
  • 193
  • 313