RNK
Reputation: 5792
Bind variables in PHP-MySQL
I am using below code to execute MySQL query in PHP.
$cus_id = '1';
$query = new QUERY();
$clause = "SELECT * FROM customers WHERE cus_id=:cus_id AND status='ACTIVE'";
$params = array('cus_id'=>$cus_id);
$result = $query->run($clause, $params)->fetchAll();
Now the question is: is it secure enough. Or do I need to bind the static String as well? Something like:
$clause = "SELECT * FROM customers WHERE cus_id=:cus_id AND status=:status";
$params = array('cus_id'=>$cus_id, 'status'=>'ACTIVE');
Upvotes: 1
Views: 88
Answers (2)
chaos
Reputation: 124277
It's fine the way you have it. The value for status isn't being dynamically assembled and doesn't create any vulnerabilities.
Upvotes: 1
Daan
Reputation: 12236
It's secure because ACTIVE isn't user input. So you don't need to bind it.
Upvotes: 1
Related Questions
- PHP PDO: Can't bind value to multiple variables?
- PDO bind multiple values in one statement
- PDO bind Parameter
- Bind parameters with PDO in PHP
- Binding parameters by PDO not working
- Can't bind value to table in database php
- PDO not binding variables
- PDO: Using same bind variable multiple times
- bind parameter to pdo function
- PDO bind parameters