I'm learning mysqli prepared statements and have a few questions about it
From what I have understood we use prepared statement for those queries that have dynamic variable in them for eg in login - email & password.
I want to know if prepared statements are necessary for queries where no dynamic element is there for eg fetching users from database. If I do this like below query does this makes it vulnerable
SELECT
name, email
FROM
users
How can I use prepared statement without using bind param?
Like in pdo we do like this
$array=array($email,$pass);
$db->query("SELECT name from users where email=? and password=?");
$db->execute($array);
Can I do something like this in mysqli? I have searched and found results that use bind param , nothing without using bind.?
Your answers are as follows:
1.See this-stackoverflow.com/questions/5108414/mysqli-query-vs-prepare-(the link that AdRock posted in his comment.)
2.Instead of-
$db->query("SELECT name from users where email=? and password=?");
$db->bind_param("ss", $email, $password);
$db->execute($array);
You can do this-
$db->query("SELECT name from users where email='$email' and password='$password'");
$db->execute($array);