Execute on unprepared sentences


This is a question of concept consultation. The prepared statements protect the sql injection query.

$sth = $dbh->prepare('SELECT name, colour, calories FROM fruit
    WHERE calories < :calories AND colour = :colour');
$sth->bindParam(':calories', $calories);
$sth->bindParam(':colour', $colour);

But if external values are not used, it is not necessary to use prepared statements, that's why Query () is used.

$sth = $dbh->query('SELECT name, colour FROM fruit
    WHERE calories < 50');

But it is better not to use execute () also on unprepared sentences instead of query () ?

asked by Piropeator 07.05.2018 в 05:33

1 answer


The sentences before being processed must be prepared, because in a production environment they will respond to the interactivity of the user; that is, a select, insert, update or delete will depend on the variables that the user sends:

$enunciado = $conexion->prepare("SELECT * FROM ventas WHERE producto = :producto");

For the previous case, the response of the system will depend on the information sent by the user

$enunciado = $conexion->prepare("SELECT * FROM ventas WHERE producto = :producto");
$ejecutar->bindParam(':producto', $producto, PDO::PARAM_STR);

If you are only running tests in a location where it is not an environment   real for your application there if it is otherwise; but generally   developments go to production therefore they must pass the   sentences by the prepare method as well as identify the values that   arrive by means of the position pointers and at the end indicate the   type of data that arrives

The fact is not that it is as such an opinion of whether it is better or not, but by the fact that sentences should not only respond to op with the database but also protect the user who is using them to avoid SQL injection attacks


If you do not, you are eliminating the good practice of protecting your   SQL queries, which for any development should be   present

I advise you to keep in mind that not only do you have execute () or bindParam present, but also:

  • So that with the above at the time of doing bindParam the type of value that is happening is identified

    answered by 07.05.2018 / 06:10