-1

I use often simple method in select query and i do not use prepare statement because i think there is no need to use prepare statement in select because in select we view the table . further tell me I think right or we should use prepare statment in select query also?

If yes please Tell me

Dharman
  • 30,962
  • 25
  • 85
  • 135
Toxic Tricks
  • 9
  • 2
  • 1
    Just to avoid SQL injection attacks you should use them – Jonxag Jan 29 '23 at 12:57
  • 1
    If your query is _not_ using inputs from outside your database or application then in principle there is no chance of injection attacks, and you don't need a prepared statement. – Tim Biegeleisen Jan 29 '23 at 12:59
  • There are two main advantages of prepared statements: 1. Protection against SQL injection attacks as already mentioned 2. A performance gain if you need one and the same query multiple times; in this case the execution path is just calculated once. If no external input and just querying once than there's neither need for (as mentioned already, too) nor benefit from... – Aconcagua Jan 29 '23 at 13:02
  • Here are some [examples](https://owasp.org/www-community/attacks/SQL_Injection) to show how injection can occur – Rohit Gupta Jan 29 '23 at 13:38
  • 1
    @TimBiegeleisen that's a VERY bad misconception. Given an average php user never can tell what is "outside input", this suggestion is a straight road to SQL injection. – Your Common Sense Jan 29 '23 at 13:45

1 Answers1

-2

it is not necessary when there is no user input. It can sometimes still be useful to use a prepared statement when there is input though, even if it's not user input. This is because preparing a statement allows it to be executed more efficiently if it is run lots of times with different data each time

My mother says: the mountain that can be seen is not far away, don't stop trying

s.soltanzadeh
  • 126
  • 4