This might be a stupid question but should you still use prepared SQL even when the SQL isn't getting any variables from a field, POST or GET?
Example:
$sql = mysqli_query($con, "SELECT * FROM table WHERE foo = 'bar'");
In my book this is safe since there is no input, am I wrong?
分享 It doesnt matter where a variable come from. It is not about field. It's about a variable. As long as you are using at least one variable in the query - it have to be prepared with placeholders
Otherwise you can use query() method instead. There is no use for the preparing completely static queries as one is shown in the OP.
分享
