准备“硬编码”SQL请求
问题描述:
This might be a stupid question but should you still use prepared SQL even when the SQL isn't getting any variables from a field, POST or GET?
Example:
$sql = mysqli_query($con, "SELECT * FROM table WHERE foo = 'bar'");
In my book this is safe since there is no input, am I wrong?
这可能是一个愚蠢的问题,但即使SQL没有从中获取任何变量,您仍然应该使用准备好的SQL 一个字段,POST或GET? p>
示例: p>
$ sql = mysqli_query($ con,“SELECT * FROM table WHERE foo = 'bar'“);
code> pre>
在我的书中,这是安全的,因为没有输入,我错了吗? p>
div>
答
It doesnt matter where a variable come from. It is not about field. It's about a variable. As long as you are using at least one variable in the query - it have to be prepared with placeholders
Otherwise you can use query() method instead. There is no use for the preparing completely static queries as one is shown in the OP.