CodingForums.com - View Single Post - Mysql_real_escape_string and PDO statements

Fou-Lu · 11-30-2012, 05:48 PM

Mysql library itself is old. Really old; API indicates that it is discouraged to use it old.
I assume what you actually mean is prepared statements; PDO is an abstraction layer which happens to support prepared statements. MySQLi, OCI and SQLServer all support prepared statements as well.
Prepared statements provide much better SQL injection prevent-ability. As in, 0% chance of injection. Prepared statements precompile the statement structure separate from the data so it is impossible for the data to corrupt the SQL itself with input data bound by variable. Its also a dream in batch processing.

11-30-2012, 05:48 PM	PM User \| #2
Fou-Lu God Emperor Join Date: Sep 2002 Location: Saskatoon, Saskatchewan Posts: 15,645 Thanks: 4 Thanked 2,450 Times in 2,419 Posts	Mysql library itself is old. Really old; API indicates that it is discouraged to use it old. I assume what you actually mean is prepared statements; PDO is an abstraction layer which happens to support prepared statements. MySQLi, OCI and SQLServer all support prepared statements as well. Prepared statements provide much better SQL injection prevent-ability. As in, 0% chance of injection. Prepared statements precompile the statement structure separate from the data so it is impossible for the data to corrupt the SQL itself with input data bound by variable. Its also a dream in batch processing.