Are dynamic mysql queries with sql escaping just as secure as prepared statements?

Yes, but a qualified yes You need to properly escape 100% of the input. And you need to properly set character sets (If you're using the C API, you need to call the mysql_set_character_set() instead of SET NAMES ). If you miss one tiny thing, you're vulnerable.So it's yes, as long as you do everything right And that's the reason a lot of people will recommend prepared queries.

Not because they are any safer. But because they are more forgiving.

Yes, but a qualified yes. You need to properly escape 100% of the input. And you need to properly set character sets (If you're using the C API, you need to call the mysql_set_character_set() instead of SET NAMES).

If you miss one tiny thing, you're vulnerable. So it's yes, as long as you do everything right... And that's the reason a lot of people will recommend prepared queries. Not because they are any safer.

But because they are more forgiving...

Perpared statements have 2 round trips, prepare and execute. Does each time run mysql escape string on a variable count as a round trip to the database? – bshack Jan 23 at 4:34 @bshack: I don't believe so.It uses the charset from the open connection, so it shouldn't need to round-trip (but I could be wrong, I haven't inspected the source code of the API, only the documentation )... – ircmaxell Jan 23 at 4:40 Is there anything else you have to do other than setting the character set?

– Michael Jan 24 at 16:06 @Michael: if you properly escape everything, then no. (And properly escape means mysql_real_escape_string() for strings, integer casting for ints, etc and whitelisting field names for sorts/other operations where string values are added to the query as identifiers). – ircmaxell Jan 24 at 16:10.

Yes. Now I have to keep typing because Stackoverflow wants 30 characters.

I think @ircmaxell got it right on. As a follow up, be on the lookout for this kind of thing. I used to do it all the time: And when I say "used to do it", what I mean is that I eventually gave up and just started using prepared statements!

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.