I am using a form to update data displayed on a site. This is just text information but it will contain apostrophes and quotes.
I figured using a prepared statement with parameters for both the Update SQL statement and Select statements would automatically escape and unescape the special characters respectively. This doesn't seem to happen. The prepared statement still messes up with an apostrophe due to the statement being malformed because of the apostrophe.
I work around this using mysqli_real_escape_string on my strings before updating but when I get the strings using another prepared statement (select with one parameter) the escaped apostrophe shows up in the text on the html page (ex: /'hello/' instead of 'hello' ).
So I use stripslashes. This works but I thought that mysqli prepared statements did this for you. Any ideas?
Update:
$mysqli = new mysqli($servername, $username, $password, $dbname);
if ($mysqli->connect_error) {
die("Connection failed: " . $mysqli->connect_error);
}
$sql = "UPDATE table SET mycol= ? WHERE myparam= ?";
$stmt = $mysqli->prepare($sql);
$stmt->bind_param('ss', $mycol, $myparam);
if (!$stmt->execute()) {
echo "Error updating record: " . $stmt->error;
}
Get:
$mysqli = new mysqli($servername, $username, $password, $dbname);
if($mysqli->connect_error)
{
die("$mysqli->connect_errno: $mysqli->connect_error");
}
$sql= "Select * From table Where myvar= ?";
$stmt = $mysqli->prepare($sql);
$stmt->bind_param("s", $myparam);
$stmt->execute();
$stmt_result = $stmt->get_result();
if ($stmt_result->num_rows>0) {
$row = $stmt_result->fetch_assoc(); }
Use "mysqli_real_escape_string" function to avoid security risks.
Sorry to bother people!
The prepared statement works as intended and I do not need to use mysqli_real_escape_string.
The issue I was seeing afterwards was me double escaping the text. It is fixed.
Thanks to everyone who responded!