I believe I understand the basics of SQL injection. I also know using prepared statements with PHP files is the best way to prevent SQL injection. I was always told that SQL injection happens most commonly when an attacker inputs valid sql commands inside form data fields or file input fields on a public facing site.

However, If I have php files on my site that can only be accessed by an authenticated user is it still 100% necessary to use prepared statements?

Also, what about sql queries that don't require any outside user data to run. Something like:

SELECT * FROM tableName

If I'm not passing any variables to a query is it still vulnerable to SQL injection?