…and if your attacker inserts double-quotes in his injected string, some escaped, some not? No: use prepared statements, period, end of sentence. Do not try to play games, attempting to outthink your attacker. The many attackers collectively have all the time in the world, they need to succeed only once, and they are better-motivated than you are. You are alone and busy, you must succeed in *every* encounter with the attackers, and you have better things to do with your time. Use the simple solution that always works, so you can move on and do something productive with your day.