Rosamunda Rosamunda - 8 months ago 25
MySQL Question

Is mandatory to use a prepared statement in a SELECT query?

If you use htmlspecialchars() when receiving input from the user, like:

$email = htmlspecialchars($_POST['email']);

Should you use a prepared statement if the query is just a SELECT one?


You should always use prepared statements. Here's an exemple: if user inputs the following:

"105 or 1=1"

The htmlspecialchars() function won't do anything to it. The query would look like:

SELECT * FROM Users WHERE UserId = 105 or 1=1

See this doc