I have only used PHP Prepared Statements for SQL insertions since now, but I wonder if I have to use Prepared Statements for all SQL queries, if so, how can I use them in the following SELECT statement?
// sql for category
$sql_category = "SELECT id as id_category, name as name_category
FROM category";
$results = mysqli_query($conn, $sql_category);
if ($results === false) {
echo mysqli_error($conn);
} else {
$categories = mysqli_fetch_all($results, MYSQLI_ASSOC);
}
I would be very pleased to be correctly answered, and if you have any suggestions or questions, please let me know.
This code works properly at the moment.
>Solution :
SQL injection prevention is a bonus feature of prepared statements, otherwise, they’re just "prepared statements"… prepare once, execute many times, with different parameter values.
That being said, you could use prepared statements throughout your code base for consistency, even if the query does not accept any parameters. You’ll have to:
- use
mysqli::prepareto create amysqli_stmtobject - use
mysqli_stmt::bind_paramto specify parameter values (if any) - use
mysqli_stmt::executeto execute the statement - use
mysqli_stmt::get_resultto get the result