Mysqli (Extended Mysql) has greater security and I had until now thought that I did not need to handle the variable data before adding it to the database, but studying on this page I found this code similar to what I used in the old MySQL. before entering the database.
Code:
$variavel="'" . $conexao->real_escape_string('col1_value') . "'";
In case, I always use the Prepared Statements , so does it only solve or do I have to add this too?
preparedStatements are interpreted by the database and stored there while your connection is active. When they are read, the database already interprets the data types that should go in each placeholder , so if you pass a parameter with the wrong type (or a SQL valid, for example), the database simply will give error. For the case of text fields, the database will even accept SQL, but it will be saved in the column of this field instead of actually being executed.
From a security point of view you should not even trust what comes from the database, for situations like this of the user saving a SQL in a textual field. But this would be more in the situations of SELECT than in situations INSERT/UPDATE/DELETE .
Update
I checked the site mentioned and realized that the subject is using concatenated queries. It will concatenate SQL with the variables coming from the user and so it uses the escape. In the examples it uses preparedStatements it also does not escape.