I'm working on an application at the moment that uses PDO with a MySQL database.
I'm seeing some queries, which are just very simple
SELECT * FROM table ORDER BY name ASC
$sql = "SELECT * FROM " . $this->table . " ORDER BY name ASC";
$stmt = $this->db->query($sql);
$results = $stmt->fetchAll(PDO::FETCH_ASSOC);
The SQL statement can contain zero or more named (:name) or question mark (?) parameter markers
Yes, because the use of prepared statements have 2 main causes:
Since you have no parameters that could be handled by a prepared statement (table names cannot be a parameter), you do not gain anything by pushing the query through as a prepared statement.
You still need to make sure that whatever is returned by
$this->table will not cause any issues with the generated sql code.