No, you don't have to escape value yourself (i.e. no you don't need to call mysqli_real_escape_string
), when you are using prepared statements : the DB engine will do that itself.
(Actually, if you were calling mysql_real_escape_string
and using bound parameters, your strings would get escaped twice -- which would not be great : you'd end up with escaping characters everywhere...)
As a sidenote : your values are passed as integers (as indicated by the 'ii'
), so you wouldn't have to call mysql_real_escape_string
, even if you were not using prepared statements : as its name indicates, this function is used to escape... strings.
For integers, I generally just use intval
to make sure the data I inject into my SQL queries really are integers.
(But, as you are using prepared queries, once again, you don't have to do that kind of escaping yourself)
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…