Safe way to write a PDO query

Question

Which of these two is the safe method to write a query?

$stmt = $pdo->prepare("UPDATE tableName SET fieldName = 0");

OR

$stmt = $pdo->prepare("UPDATE tableName SET fieldName = :parameter");
$stmt-> bindValue(':parameter', 0);

I know the 2nd method is way best and I use it whenever I use a $variable in bindValue. But here, I need to use a known integer 0. So, the first process seemed easier as I did not had to write another bindValue statement. But, is it safe?

this would be useful , http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — hassan, Mar 13 '17 at 07:45
If your values are constant, then it is okay to include them in the query — Carl Binalla, Mar 13 '17 at 07:48
parameterized queries are used for dynamic values, like values that came from user inputs — Carl Binalla, Mar 13 '17 at 07:49
Since a user can't change or have any control over a hardcoded value then, yes, the first example is file :) — Rwd, Mar 13 '17 at 08:05

score 1 · Accepted Answer · answered Mar 13 '17 at 08:03

Looking at your questions I'd say that you'll definitely benefit from reading the PDO tutorial I wrote, which says:

There are two ways to run a query in PDO. If no variables are going to be used in the query, you can use the PDO::query() method.

and

if at least one variable is going to be used in the query, you have to substitute it with a placeholder, then prepare your query, and then execute it, passing variables separately.

So now you can tell that for this particular query you can use the query() method instead of prepare/execute

$stmt = $pdo->query("UPDATE tableName SET fieldName = 0");

as there is no variables to be used and this no danger at all

Safe way to write a PDO query

1 Answers1