I can verify the encoding of the string with mb_check_encoding()
I wish to verify the encoding, not only for security reasons but also to be sure the data is valid, as in, will be displayed correctly.
OK - That's probably not a bad idea, but security-wise prepared statements are completely resistant to any kind of sql-injection attack. This is because with bound parameters, the data and the query are transmitted separately and the data is never interpreted by the database engine.
You don't even need to switch to PDO either since the mysqli_ functions support prepare statements (either procedural or object oriented) without the need for anything else.
True, but I'm not wild about having the mySQL connection global in scope... another reason to abandon the procedural and if the connection is needed in other functions, pass the PDO object by reference.
True, but I'm not wild about having the mySQL connection global in scope...
What has that got to do with anything - the only difference between the mysql_ and mysqli_ connections if you use procedural code is that whether the database connection comes before or after the query in the parameter list.
If you use the OO version of mysqli_ then you don't need to specify the connection as it is stored within the SQL object you create when you open the database connection.
Whichever way you access the database the scope of the connection depends entirely on when you do the call to connect and is exactly the same for bot mysql_ and mysqli_
The only difference is that mysqli_ supports the prepare statement without the need for any add-ons such as PDO.
As such using mysqli_ is the cleaner and potentially more secure alternative.