Are PHP MySQLi prepared queries with bound parameters secure?

Question

Historically, I\'ve always used

mysql_real_escape_string()

for all input derived from users that ends up touching the database.

Now

Answer 1

When you bind parameters to a prepared statement, it escapes the data automatically, so you shouldn't escape it before you send it through. Double escaping is usually a bad thing. At the very least, it produces ugly results with extra escaped characters later on.