Prepared PDO reports with several conditions in the where section

Question

Prepared PDO reports with several conditions in the where section

If I use prepared PDO instructions, and I have a query like this:

SELECT cat_name, cat_id_PK, cat_amount
FROM categories
WHERE month=? AND is_recurring = '0'
ORDER BY cat_name ASC;

$results->bindValue(1, $cur_month);

Should I also bind the value of the is_recurring clause? "0" is hardcoded, and I don't think that would leave me vulnerable to SQL injection, but I wanted to ask you to be sure. I noticed that in the tutorial I watched that they bind the value, even if it is not passed to the variable, which made me wonder if I am doing this correctly.

+4

php mysql sql-injection pdo prepared-statement

hyphen Dec 13 '13 at 1:18

source share

2 answers

, . PHP.net, :

, ,
SQL

, . , . , SQL- . ( , , )

: 0, .

+1

Nic Wortel 13 . '13 1:26

user557846 · Accepted Answer · 2013-12-13T01:26:18+0000

In this case, binding is not required, it is not a variable.

Prepared PDO reports with several conditions in the where section

More articles: