I know that mysqli_prepare tuning is used to prepare SQL queries and protect them against SQL Injection.
I found two pages about SQL Injection:
I'm starting to study on the subject, and I was wondering if the mysqli_prepare function can prevent such cases, or if it would need "something else" in my PHP script besides mysqli_prepare.
My question is:
Does using mysqli_prepare prevent ALL SQL Injection attacks, or is it restricted to the main types of SQL Injection attacks?
mysql_prepare avoids SQLinjection, as long as you use parameters in the query. If you use mysql_prepare concatenated the values of the fields with the query, it will not do any good, but the mysql_ * functions are considered obsolete. I would refer you to using PDO, it is very good to work with database, and if one day you need to change your database, it will be much simpler with PDO.
The purpose of prepared statements is not to include data in your SQL statements. Including them in your SQL statements is NOT safe. Always use prepared statements. They are cleaner to use and not prone to SQL injections.
Escaping strings to include in SQL statements does not work very well in some locales hence it is not safe.
Translation:
The purpose of prepared statements is to not include data in SQL statements
"Escape strings" to include in SQL statements do not work in some cases, so it is not safe
Retrieved from php.net
