JDelage
Reputation: 13682
Should I use bindParam for a query that has no user input?
I'm fairly new and have been taught that the key rational for prepared queries is safety.
I have a query in my program that receives no user input - it's all using internal variables. Are there still material benefits to using bindParam in a PDO query rather than simply submitting the query string as is?
Upvotes: 0
Views: 76
Answers (1)
eggyal
Reputation: 125945
What if a future update changed the variable so that it became assigned from user input, but noone bothered to alter the query?
One should avoid ever concatenating variables into SQL and always send them to the RDBMS as parameters.
Upvotes: 1
Related Questions
- Should I use bindParam(), bindValue(), or execute() for PDO prepared statements
- Is it safe to bindParams without PDO::PARAM?
- Why should I use bindValue / Param vs a normal variable?
- MySQL - PDO bindParam
- Omitting bindParam with PDO is safe?
- PHP PDO and bindParam()
- MySql and PDO: How to send a null param with bindParam()
- PDO in PHP - What parameters can I bind outside of the query or not
- PDO: can I avoid bindParam?
- Do I really need bindParam?