Do I need real_escape_string for parametrized queries ?
... or even more?
Well, I am maintaining a simple cms where i actually take care of user input - such as comments.
The latter is stripped off from any harmful stuff (at least I hope so).
But the administrators and moderators are able to publish articles full of html code so it's a bit tricky to avoid errors that come from copy/paste with hidden $bad_stuff
Even users may publish comments on coding with php code and/or html code.
So I need some advice how to do it properly.
i am an experienced programmer but my roots are not within PHP/mySQL so I tried several stuff to sanitize input, but more or less all the time the content is messed up after several steps of editing.
Actually my code looks like [simplified]:
insert into articles (bodytext,keywords,teaser,title)Values(?,?,?,?)
then bind_param() is used to insert the values
and of course the respective update statements.
So the question is: do I have to do some sanitization of the parameters in question?
And yes, I know about the flaws and issues on having something like "<script >...</script> inside an article. i'll take care about that.
I mean: DO I REALLY need to take care about the input if I trust the moderators?
Please direct me on any articles related to this problem if you know something worth reading.