Yes, it is still necessary. json_encode
adds backslashes to the strings contained within the JSON, but not to the control elements of the JSON itself.
So, this:
array( 'key' => 'some "value" here' );
Becomes:
{"key": "some \"value\" here"}
There are still quotes in the string that are not escaped (the quotes surrounding the keys and values. json_encode
is not meant to protect against SQL injection. It adds slashes purely for the JSON, so that when you, later on, json_decode()
the data, it knows where the strings start and stop.
As others have said - use prepared statements. Period. If you're already using mysqli you have no reason not to.