Of course, it makes sense to use anywhere, even in select statements. The fact is that prepared statement are automatically quoted to ensure safety and prevent SQL injection risk. Security is very important for a PHP application, especially since the language by itself does not do anything like that for you, you need to keep in mind yourself.
I suppose as long as all the parameters are NOT and can NEVER BE coming from any user input you could get away with not using prepared statements as far as for security concerns.
And if you aren’t concerned about data integrity in the event of a mess up happening…
You get a small performance boost if you use the same select query in multiple places, but with different search parameters. The query with placeholders is cached on the DB end, and re-used when called again with different params, rather than built from scratch. This is negligible, but hey, if that’s something you care about, it’s there.
Always use prepared statements when you can. It’s a good habit to get into.
You’re making an enormous assumption that filtering will remove any characters special to SQL. Then when building your SQL statements, you have to know which user inputs have been filtered, and what they were filtered for. Now your SQL is more complex than it needs to be and you’re much more likely to make a mistake.
But if you always use prepared statements, then you don’t need to know or care whether a value was filtered, nor how it was filtered. Even unfiltered user input would be safe from injection. Your code becomes simpler, and you’re tremendously less likely to make a mistake.
SELECT user_id FROM member_table WHERE member_name LIKE $_POST[‘name’]
Using his example - injection would be about what the user might have input into the ‘name’ field - the malicious user is not trying to insert bad data into your database, they’re trying to hijack your query - and make the query say something else. For example, they might make their “name” into more SQL query. In another case, this could be terrible. In some cases, it wouldn’t do much.
So for example I might input “WHERE user = 1” into a form as my “name” or my “address”. I’d consider how the query might be set up, consider how I might could jack that query to perform in a different way than intended, and then go from there.
I’m by no means a security and SQL expert, we have several of those here who may chime in and do a better job of explaining (Probably @Mitteneague himself will answer you since you were talking to him) I just figured I’d give you my two cents worth.
TL;DR - Injection can occur without the user actually being interested in inserting bad values. The two can be concurrent, but they could also be separate things entirely.
I understand now better why there is injection danger even in SELECT statements.
But as I understand…in a SELECT statement such as this(meaning is depends on the SELECT statement):
SELECT appointments.Bookfrom,appointments.apID,staffID,appointments.apps_origin,
from appointments,users
WHERE users.email="'.$email.'"
There is no injection danger…correct me if I am wrong
Where is the value for $email coming from? Any use submitted data, via $_GET, $_POST, $_FILES, $_COOKIE or $_REQUEST should always be considered to be dangerous until it has been sanitized and escaped. For escaping prepared statements should ALWAYS be used.
Also there is no valid reason for any application to use $_REQUEST as if the value is coming from a query string (the URL) then $_GET should always be used. If the value is coming from a form then $_POST should always be used.
Preventing injection is just a side effect of using prepare statements - the real benefit of prepare statements is that you only need to prepare the statement once and can then bind different data to it when running it multiple times. That improves the efficiency of the database calls. Not something you might need to do all that often in simple web pages but still worth knowing about.