I have been trying to move from non-prepared statements to prepared statements. I have heard the mysqli_stmt_bind_param does some of the work that mysqli_real_escape_string does. I tested it though and I am receiving some confusing results. I tried to insert
$variable = a\a\
into a database by passing it through mysqli_stmt_bind_param gives me an sql error. (“Problem: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘‘a\a\’’ at line 1”)
However, if I do that in just a normal query using $result = mysql_query(insert into, values), I do not get this error, and a\a\ shows up in the database.
However, using mysqli_stmt_bind_param to insert a\a AFTER using mysqli_real_escape_string on a\a\ puts it into the database, escaped as expected as a\\a\\.
I have several questions here:
why do I get an error when trying to insert $variable into my database using mysqli_prepare/mysqli_stmt_bind_param?
what are the supposed security features of mysqli_stmt_bind_param?
3) should I still escape everything before putting it into a prepared mysqli statement?