Rosamunda Rosamunda - 1 year ago 66
MySQL Question

Is mandatory to use a prepared statement in a SELECT query?

If you use htmlspecialchars() when receiving input from the user, like:

$email = htmlspecialchars($_POST['email']);

Should you use a prepared statement if the query is just a SELECT one?

Answer Source

You should always use prepared statements. Here's an exemple: if user inputs the following:

"105 or 1=1"

The htmlspecialchars() function won't do anything to it. The query would look like:

SELECT * FROM Users WHERE UserId = 105 or 1=1

See this doc

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download