Home › Forums › JavaScript › Do we need mysql_real_escape_string when we use mysqli ? › Re: Do we need mysql_real_escape_string when we use mysqli ?
May 13, 2013 at 12:58 am
#134876
__
Participant
more specifically, **no**, do not use `mysql_real_escape_string()` with ext/mysqli.
You cannot mix the `mysql_*()` functions with `mysql`**`i`** (functional or object-oriented styles). It may or may not throw any errors, but it will not do anything useful (and may even *open* security holes by making you *think* your data is escaped when it is not).
A better option with mysqli is to use [prepared statements](http://php.net/mysqli.prepare): this way, you don’t have to worry about escaping data at all. MySQL will do it for you.