Reputation: 1562
Prepared Statements - Should I use php prepared statements even in queries without (?) placeholders?
It makes perfect sense to me to use prepared statements in a query of the following type:
$sqlQuery = "SELECT phone FROM contact WHERE name = ? ";
However, in the following situation, does it make sense and is it useful to use prepared statements, as sometimes seen?
$sqlQuery = "SELECT name FROM contact";
Thanks in advance
Upvotes: 2
Views: 94
Answers (2)
Reputation: 2890
Generally, prepared statements only need to be used when user input is concerned. It's perfectly fine to use them in situations when no user input is concerned as well - If you're using PDO you may find it more convenient to use the same PDO connection string and query process as before, as using a different function set would require you to reopen the connection.
Upvotes: 2
Reputation: 227200
If you are running a query without any user-entered variables, you can just do:
$db->query("SELECT name FROM contact")
As soon as you start entering in user-inputted data, then you need to use a prepared statement.
$db->prepare("SELECT phone FROM contact WHERE name = ?");
Upvotes: 3
Related Questions
- When *not* to use prepared statements?
- Are Prepared Statements a waste for normal queries? (PHP)
- When should I use prepared statements?
- Is using prepared statements necessary?
- Should we always use prepared statements in MySQL and php or when to use these?
- PHP: Prepared statements
- Should prepared statement ever be used without placeholders
- Are there downsides to using prepared statements?
- Which parameters should I declare as sql placeholders?
- Is It Overkill To Use Prepared Statements for Placeholder Binding Alone?