Prepared statements and SQL injection

[jjones]

I'm using prepared statements with some of my data manipulation on a MySQL database. Up to this point, I've always been using the real_escape_string function but everything I've read about using prepared statements says this is no longer necessary due to the separation of logic.

I need to be careful with this project regarding SQL injection. I take as many pre-emptive measures as possible with various data validation techniques and then using the real_escape_string function as the last line of defense. I'm reluctant to let this last line of defense go but then again, I don't want to do any unnecessary processing of data.

Has any one run across any problems or identified any weaknesses using prepared statements and forgoing the use of the real_escape_string function?

 

[MrChad]

I'm assuming you're talking about PHP.

While I can't speak to PHP, in most languages explicit string escaping is unnecessary if prepared statements are used. real_escape_string is not a foolproof solution to SQL injection by itself.

 

[jjones]

Thanks. Yeah, I had just read that article, along with several others discussing this; that's what got me on to using prepared statements.