Do I need to escape data to protect against SQL injection when using bind_param() on MySQLi?

Question

As the title says, do I have to escape user input when using bind_param() or is that done internally?

Thank you.

Answer 1

No.

To quote this

http://mysql.lamphost.net/tech-resources/articles/4.1/prepared-statements.html

"Normally when you are dealing with an ad hoc query, you need to be very careful when handling the data that you received from the user. This entails using functions that escape all of the necessary trouble characters, such as the single quote, double quote, and backslash characters. This is unnecessary when dealing with prepared statements. The separation of the data allows MySQL to automatically take into account these characters and they do not need to be escaped using any special function."