Bind variables in PHP-MySQL

Question

I am using below code to execute MySQL query in PHP.

$cus_id = '1';
$query = new QUERY();
$clause = "SELECT * FROM customers WHERE cus_id=:cus_id AND status='ACTIVE'";
$params = array('cus_id'=>$cus_id);
$result = $query->run($clause, $params)->fetchAll();

Now the question is: is it secure enough. Or do I need to bind the static String as well? Something like:

$clause = "SELECT * FROM customers WHERE cus_id=:cus_id AND status=:status";
$params = array('cus_id'=>$cus_id, 'status'=>'ACTIVE');

You need to learn about sql injection attacks. Because your question is suggestive of cargo-cult programming - doing something without ever understanding WHY you're doing it. — Marc B
– Marc B, Commented Oct 26, 2015 at 14:26
Thank you everyone. @MarcB: I read your article before. I though I should clear it once again. — RNK
– RNK, Commented Oct 26, 2015 at 14:28

Daan · Accepted Answer · 2015-10-26 14:25:25Z

1

It's secure because ACTIVE isn't user input. So you don't need to bind it.

answered Oct 26, 2015 at 14:25

Daan

12.3k6 gold badges36 silver badges51 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

chaos · Accepted Answer · 2015-10-26 14:26:00Z

1

It's fine the way you have it. The value for status isn't being dynamically assembled and doesn't create any vulnerabilities.

answered Oct 26, 2015 at 14:26

chaos

125k34 gold badges306 silver badges310 bronze badges

Collectives™ on Stack Overflow

Bind variables in PHP-MySQL

2 Answers 2

Comments

Comments

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

Comments

Comments

Related