From: Johan De Meersman Date: May 14 2012 2:50pm Subject: Re: MySQL Community Server 5.1.63 has been released List-Archive: http://lists.mysql.com/mysql/227428 Message-Id: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit ----- Original Message ----- > From: "Govinda" > > 1.) Is anyone *who knows what he is doing* still using > mysql_real_escape_string()? Ever? I seem to vaguely remember someone showing me some code that would bypass escaping; but I didn't really pay a lot of attention, to be honest :-) Personally I haven't used escapes in ages, for the simple reason that prepared statements are just that much more convenient - and even if MySQL doesn't do a lot with it for the time being, they also allow for some very nifty in-server optimizations using cached query plans and similar nifties. Using them is a good habit for three reasons: 1) it makes you immune to SQL injections, at least as effectively as escaping; 2) if MySQL finally gets around to implementing an execution plan cache, you'll start benefiting without having to lift a finger 3) you won't need to learn new ways of working if you need to code on different databases :-) -- Bier met grenadyn Is als mosterd by den wyn Sy die't drinkt, is eene kwezel Hy die't drinkt, is ras een ezel