MySQLi Prepare question

[Don E]

Hello,

 

Of course it is good to use prepared statements for user input but I thought for the sake of asking if it is necessary to use prepared statements for internal SQL statements? I read some time ago it is best to use prepared statements for SQL even if they are not from users etc (internal SQL statements) or/and even if the SQL statements are for an admin area where you know you can trust the input, say if it's an area of the site you only have access to for example.

 

I just thought I'd ask and get some perspectives/advice on this. Thanks.

[Ingolme]

The people in the admin area of a website are also users. Perhaps there are different levels of administrative permissions and a person of the lower level finds a way to hack the system so they can do things they normally are not allowed to do. It's also to avoid unnecessary error messages from showing up to people who don't know PHP and are just trying to manage their website.

 

Any information that is not hardcoded into your program has a chance of being tampered with.

 

I don't use prepared statements if there are no variables at all in the query, like when creating a table or just counting rows.

[Don E]

This is an old topic but instead of making a new one, I thought I'd ask here again.

 

Would it also be advisable to use prepared state for SELECTING as well instead of just for INSERTING/UPDATING.

 

Currently I am doing that for selecting as well but just thought I'd ask. Thanks.

[justsomeguy]

You should use prepared statements any time you have data in a query, like if the select query has a where clause with data in it. If you're just doing "SELECT * FROM users" then a prepared statement isn't necessary, but it's always good to get into the habit. You should also use a prepared statement on a query that you're going to run multiple times, like inside a loop, even if the data for each query is different.