There's a comment in another question that says the following:
"When it comes to database queries, always try and use prepared parameterised queries. The mysqli and PDO libraries support this. This is infinitely safer than using escaping functions such as mysql_real_escape_string."
So, what i want to ask is: Why are prepared parameterized queries more secure?
For one, you're leaving the escaping of dangerous characters to the database, which is a lot safer than you, the human.
... it won't forget to escape, or miss out on any special characters which could be used to inject some malicious SQL. Not to mention, you could possibly get a performance improvement to boot!
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki