bind_param() only necessary on user-inputted values or all?

Question

I\'ve been reading up on SQL injections and I couldn\'t find an answer to this question.

I understand if I a query like this

prepare(\"SELECT id, foo, ba         


        

Answer 1

If you are not running your query on user-inputed values, then use the query() method instead. Don't use bindParams() and execute() since you are not working with prepare().

query(SELECT username, foo, bar from table where id = '$id'");

Answer 2

Technically you're not at risk if you don't prepare data that's not coming from user input. However, it's strongly advised to do so for a couple of reasons:

1. If you forget to prepare any user input data somewhere, there's a chance this user injected something miscellaneous into a data row that you didn't expect to ever be user input.
2. It's a good practice to repeat what you're doing to keep your server secure. If you start mixing it up, you're much more likely to forget preparing data where it's actually needed to do so.
3. Preparing your data is not just to prevent SQL injection from attackers. It'll also prevent some database issues in case you accidently create a bug in your code. For example:

Somewhere in your code you have a log system that adds an errorlog to your database. The string would be:

Error: User "xxx" with IP "x.x.x.x" used a wrong password.

This string is generated by your script. Therefor you don't prepare it. Yet the quotes inside this string will cause errors with your database that could've been prevented if you prepared it anyway.