3

If a parameter is integer and doesn't come from user input, it's a variable I'm setting like $type = 5;, do I still need to make a placeholder for it like I do for parameters that come from user input (WHERE type = ?) ? Are there any benefits to it?

Anna K.
  • 1,887
  • 6
  • 26
  • 38

2 Answers2

3

It's a good idea to parameterise wherever you can, for security reasons, but you don't have to. Parameterised queries are much more likely to benefit from the effects of the query cache, though whether you'll see a performance benefit depends on your scenario.

There are some cases where you'll need to add SQL in directly; column and table names, for example, cannot be parameterised. As long as these are filtered carefully, you will be fine.

halfer
  • 19,824
  • 17
  • 99
  • 186
1

I would use a prepared statement just for security purposes. althought the parameter does not come directly from a user input, someone might be able to inject harmfull code in there. possibly breaking your sql database

Chrisi
  • 371
  • 3
  • 15
  • 1
    um how? If changing the code is possible, I don't think preparing the stamement would help :) I think both ways are just as secure, but I was wondering if there are any other advantages of preparing the statement, besides security, which doesn't matter in this case – Anna K. Feb 06 '14 at 10:50
  • 1
    Can you 100% guarantee that the value will never, ever depend on user input? Maybe there is a change in a couple of month and you forgot that the value is directly set in the sql query. Also i would go with one style of creating your sql statement and don't mix things up. – tea2code Feb 06 '14 at 10:56
  • @tea2code: if everything is untainted within the database code, it's fine. I agree with the sentiment that parameterisation is better though, where it is possible. – halfer Feb 06 '14 at 11:03