I've been reading up on SQL injections and I couldn't find an answer to this question.
I understand if I a query like this
prepare("SELECT id, foo, bar FROM table WHERE username = ?");
Then I should use bind_param('s', $username)
to avoid SQL injection possibilities.
But what if I running my query on something that is not user-inputted but something like an auto-generated ID. Example:
prepare("SELECT username, foo, bar from table where id = ?");
Where id is self-generated (auto-incremented value). Do I have to make use of bind_param('i', $id)
here too or can I just prepare the query as:
prepare("SELECT username, foo, bar from table where id = '$id'");
If bind_param();
is needed, why?
Thanks!
Technically you're not at risk if you don't prepare data that's not coming from user input. However, it's strongly advised to do so for a couple of reasons:
Somewhere in your code you have a log system that adds an errorlog to your database. The string would be:
Error: User "xxx" with IP "x.x.x.x" used a wrong password.
This string is generated by your script. Therefor you don't prepare it. Yet the quotes inside this string will cause errors with your database that could've been prevented if you prepared it anyway.
If you are not running your query on user-inputed values, then use the query() method instead. Don't use bindParams() and execute() since you are not working with prepare().
query(SELECT username, foo, bar from table where id = '$id'");