mysql vb.net prepared-statement mysql-real-escape-string

Vb.net Mysql: Escape String

This is a realy quick question

One way to update or insert data in a database is to use prepared statements like this:

Dim cmd As New MySqlCommand("UPDATE `table` SET `field` = ?value", con)
cmd.Parameters.AddWithValue("?value", "user given value")
cmd.ExecuteNonQuery()

One would do that to prevent any chances of SQL injections. my question is if i use the mysqlHelper Class to escaps strings. It it equalivant to prepared statements? In other words is SQL injection still possible?

Here is how i use the escape character method

Dim cmd As New MySqlCommand("UPDATE `table` SET `field` =" & MySqlHelper.EscapeString("user given value"),con)
cmd.ExecuteNonQuery()

Solution

Yes it does but generally your better off doing it the proper way by using parameters. Using the above is just not advised.

Have a look here

How to find sum of multiple columns in where clause
Year 2038 Bug: What is it? How to solve it?
How to use SELECT INTO OUTFILE to write to a directory other than /tmp?
How to add a LIKE condition to a CodeIgniter query?
How to connect MySQL Server to Workbench
SQL triggers column updating sequence
Codeigniter using LIKE with WHERE in SQL query
Optimize Laravel Query Builder with Joins
How to use a LIKE query with CodeIgniter?
How to create MULTIPLE LIKE query for the same column in codeigniter?
MySQL/Writing file error (Errcode 28)
mysql joining two table without in common
How to display content of multiple QSqlTableModels in one QTableView?
Update multiple column of a SQL table based on another table
Installing MySQL on the D: drive instead of C:
CodeIgniter not correctly performing a sql query
Return count of qualifying rows from a SELECT query with a JOIN using CodeIgniter
CodeIgniter UPDATE query with column value addition is not affecting rows
INSERT INTO ... ON DUPLICATE UPDATE all values
Why is SQLAlchemy count() much slower than the raw query?
Automated quoting in CodeIgniter select() method is corrupting SELECT clause
codeigniter mysql 'select' query returns only one column
Importing nodes and edges to Gephi from MySQL breaks but same data from .csv works perfectly
How to make `id` automatically set by a query instead of `AUTO_INCREMENT`
Get Current User ID from Mysql in php
Mysql query using in () doesn't work with a comma-separated value
display data from SQL database into php/ html table
How to lower costs of having MySQL db in Google Cloud
How to give two or where condition in mysql query in codeigniter
CodeIgniter query WHERE column value is one of several qualifying values