Quick MySQLi security question [duplicate]

This question already has answers here: Closed 12 years ago.

P开发者_运维技巧ossible Duplicate:

Do I have to use mysql_real_escape_string if I bind parameters?

I have a quick MySQLi security related question...

For example, take a look at this code (gets input from the user, checks it against the database to see if the username/password combination exist):

$input['user'] = htmlentities($_POST['username'], ENT_QUOTES);
$input['pass'] = htmlentities($_POST['password'], ENT_QUOTES);

// query db
if ($stmt = $mysqli->prepare("SELECT * FROM members WHERE username=? AND password = ?"))
{
    $stmt->bind_param("ss", $input['user'], md5($input['pass'] . $config['salt']));
    $stmt->execute();
    $stmt->store_result();

    // check if there is a match in the database for the user/password combination
    if ($stmt->num_rows > 0)
    {}
}

In this case, I am using htmlentities() on the form data, and using a MySQLi prepared statement. Do I still need to be using mysql_real_escape_string()?

---

No, you do not need to use mysql_real_escape_string if you are binding the parameters using prepared statements. In fact using it will give you the wrong result as the escaped data will be inserted into the database. mysql_real_escape_string is needed when the parameter is written directly into the SQL string without using parameters.

---

Yes since there are non html related entities that can cause harm to your database that real escape string catches. Like UTF-8 characters.

But as noted here in the comments you are using mysqli prepare and that is enough.

BTW MySQLi has it's own escape string function. if you are interested.