but mysqli_real_escape_string() or any number of other similar solutions are indeed a thing that exists. A prepared statement would work, too.
You make it sound as if a prepared statement is a last resort. I would turn that around: as a rule always use prepared statements when dealing with user input. It’s very easy to forget a single call to mysqli_real_escape_string().
I was thinking more along the lines of the types of laziness/ineptitude most likely present at wherever OP’s example were being written. Escape string is one line of code for this whereas preparing a statement is like five.
But really they should just be hashing it. Then the input doesn’t matter.
You make it sound as if a prepared statement is a last resort. I would turn that around: as a rule always use prepared statements when dealing with user input. It’s very easy to forget a single call to
mysqli_real_escape_string().I was thinking more along the lines of the types of laziness/ineptitude most likely present at wherever OP’s example were being written. Escape string is one line of code for this whereas preparing a statement is like five.
But really they should just be hashing it. Then the input doesn’t matter.