If I use prepared statements on all MySQL queries, will I still need to use mysql_real_escape_string() etc to prevent it from SQL injection?
The problem: I made my code run thru foreach all $_POST elements and mysql_real_escape_string() on each of them.
But it became a problem when I started using CKEditor on textareas because it generates HTML code which is inserted into the database, BUT before it is inserted, it goes thru that foreach loop which I mentioned previously, escaping all quotes generated by CKEditor, making it non-functional when displayed in a HTML page.
So maybe prepared statements is the way to go?
If you use prepared statements correctly, you don't need to escape the content you are inserting, because you are separating the content from the SQL code.
But it is NOT a magic method, just "using prepared methods". You need to make sure your code actually goes into parameters. You can (I'm not saying you are doing this, but to be sure) just prepare a query that you would otherwise run, and have the same problems you used to have.
If you remember that prepared statements are not a magical "now it is safe" button, you'll be fine with skipping the escape code.