Yesterday I had 'ajax.php' with

$sql = "UPDATE `-notes` SET name='$name', content='$content', tags='$tags' WHERE unique_hak='$unique'";

and thought I was save with htmlspecialchars. User ADyson (amongst others) made very clear I was doing things totally wrong.

Now I have read upon prepared statements (I like this article from websitebeavers) and have ajax-prep-stmt.php with

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
set_exception_handler(function($e) {
    error_log($e->getMessage());
    exit('Error connecting to database'); // For user
});
$mysqli = new mysqli("localhost","","","");
$mysqli->set_charset("utf8mb4");

$stmt = $mysqli->prepare("UPDATE `-notes` SET name=?, content=?, tags=? WHERE unique_hak=?");
$stmt->bind_param("ssss", $name, $content, $tags, $unique);
$stmt->execute();
//fetching result would go here, but will be covered later
$result = $stmt->get_result();
$stmt->close();

Everything is working. Also my database now shows

in stead of <p>.

Question: `$stmt->close()` seems to 'close' the (prepared) statement.

Do I still have to close the connection to the database? I think I'm confusion 'objects' with 'procedures'. In the new code there is no $conn = mysqli_connect.