I believe I understand the basics of SQL injection. I also know using prepared statements with PHP files is the best way to prevent SQL injection. I was always told that SQL injection happens most commonly when an attacker inputs valid SQL commands inside form data fields or file input fields on a public facing site.

However, if I have PHP files on my site that can only be accessed by an authenticated user, is it still 100% necessary to use prepared statements?

Also, what about SQL queries that don't require any outside user data to run?

Something like:

SELECT * FROM tableName

If I'm not passing any variables to a query is it still vulnerable to SQL injection?