mysqli prepared statements and mysqli_real_escape_string

Question

I\'m currently using the mysqli php extension.

Traditionally I have used mysqli_real_escape_string to escape user input. However I am looking at changing over the c

Answer 1

Speaking of security, there is no difference between both methods, if you correctly bind or format your variables.

Binding is just simpler, because it can be used just for any case, while escaping can't (so, you have to cast some variables instead of escaping/quoting).

Also, bear in mind that no binding nor escaping can make identifier safe. So, if you have to use a field name or operator in your query, you have to use a value, hardcoded in your script.