Prepared statements. Should I use prepared php statements even in requests without (?) Placeholders?

Question

Prepared statements. Should I use prepared php statements even in requests without (?) Placeholders?

It makes sense for me to use ready-made instructions in a request of the following type:

$sqlQuery = "SELECT phone FROM contact WHERE name = ? ";

However, in the following situation, it makes sense and is it useful to use prepared statements, as is sometimes seen?

$sqlQuery = "SELECT name FROM contact";

Thank you in advance

+3

php prepared-statement

josei 09 jan. 15 at 19:15

source to share

2 answers

Typically, only prepared statements are needed to be used with user input. This is great for use in situations where user input is also not affected. If you are using PDO, you may be more comfortable using the same PDO connection string and query process as before, as using a different set of functions will require you to reopen the connection.

+2

James paterson 09 jan. 15 at 19:36

source to share

Rocket hazmat · Accepted Answer · 2015-01-09T19:32:47+0000

If you are running the query without any user-entered variables, you can simply do:

$db->query("SELECT name FROM contact")

Once you start entering user-entered data, you need to use a prepared statement.

$db->prepare("SELECT phone FROM contact WHERE name = ?");

Prepared statements. Should I use prepared php statements even in requests without (?) Placeholders?

More articles: