Some people believe that
mysql_real_escape_string() has some flaws and cannot protect your query even when properly used.
Bringing some fossilized articles as a proof.
So, the question is: is mysql[i]_real escape_string() totally unacceptable?
Or is it's still possible to use this function to create your own kind of prepared statements?
With proofcode, please.
From the MySQL’s C API function
So don’t use
SET CHARACTER SETbut PHP’s
mysql_set_charsetto change the encoding as that is the counterpart to MySQL’s
mysql_set_character_set(see source code of /ext/mysql/php_mysql.c).