For database security do I need to do BOTH binding parameters in a prepared statement AND mysql_real_escape_string() on the input?
Thanks!
For database security do I need to do BOTH binding parameters in a prepared statement AND mysql_real_escape_string() on the input?
Thanks!
No, parameterised queries are fine on their own. As long as you keep all variable data in parameters, passed separately from the query, they can be picked up without any escape/unescape handling.
You shouldn't blanket-escape at the input phase in general - you don't know what kinds of escape (SQL, HTML, JS, ...) you're going to need until the point you actually inject a value into one of those string contexts. Applying all kinds of escapes over all input data will only lead to mangled and inconsistent input handling.