Reputation: 967
PDO Prepared Statements with multiple conditions in where clause
If I'm using PDO prepared statements, and I have a query like this:
SELECT cat_name, cat_id_PK, cat_amount
FROM categories
WHERE month=? AND is_recurring = '0'
ORDER BY cat_name ASC;
$results->bindValue(1, $cur_month);
Should I also be binding the value of the is_recurring clause? The '0' is hard-coded in, and I don't think it would leave me vulnerable to SQL injection, but I wanted to ask to be sure. I noticed in a tutorial I was looking at that they did bind the value even though it wasn't a variable being passed, which made me wonder if I was doing it right.
Upvotes: 5
Views: 1871
Answers (2)
Reputation: 11423
No, in this situation binding is not necessary. As stated by PHP.net, prepared statements serve two purposes:
- the query only needs to be parsed once, and therefore runs faster
- they prevent SQL injection
Since you are hardcoding that value in the query, both are not applicable. The query stays the same, so it only has to be compiled once. And there is no user input pasted into the query, so SQL injection is impossible. (as long as you do bind the other value, of course)
Conclusion: You don't have to bind the 0, because it's not variable.
Upvotes: 1
Related Questions
- using mysql variable in where clause with PDO
- PDO MySQL prepared statement with optional where statements
- MySQL:Query with multiple conditions
- PDO multiple parameter binding for prepared statement
- php - How to parametrize SQL query with multiple WHERE conditions (prepared statement)?
- PDO prepared statement 'where' issue
- PDO, Prepared statements and SQL-Injection again
- PHP PDO prepared statements for where clause
- MySQL Multiple Where Clauses Using One Table
- PHP PDO-MySQL prepared statement with multiple values