Should I use mysqli_real_escape_string or should I use prepared statements? [duplicate]

Answer 1

Prepared statements only. Because nowhere escaping is the same thing. In fact, escaping has absolutely nothing to do with whatever injections, and shouldn't be used for protection.

While prepared statements offer the 100% security when applicable.

Answer 2

It's very easy to forget (maybe not for you, but other developers you work with) to escape whereas it's very hard to use prepared statements incorrectly to cause a vulnerability. So prepared statements.

Answer 3

Use prepared statements because after using this you doesn't have to use mysqli_real_escape_string. prepared statements doing this as by default.