This might be a stupid question but should you still use prepared SQL even when the SQL isn't getting any variables from a field, POST or GET?
Example:
$sql = mysqli_query($con, "SELECT * FROM table WHERE foo = 'bar'");
In my book this is safe since there is no input, am I wrong?