1
\$\begingroup\$

I am using the below code to execute a MySQL query in PHP.

$cus_id = '1';
$query = new QUERY();
$clause = "SELECT * FROM customers WHERE cus_id=:cus_id AND status='ACTIVE'";
$params = array('cus_id'=>$cus_id);
$result = $query->run($clause, $params)->fetchAll();

Is it secure enough, or do I need to bind the static variable as well as seen below?

$clause = "SELECT * FROM customers WHERE cus_id=:cus_id AND status=:status";
$params = array('cus_id'=>$cus_id, 'status'=>'ACTIVE');
Ethan Bierlein
15.9k4 gold badges60 silver badges146 bronze badges
asked Oct 26, 2015 at 14:17
\$\endgroup\$

1 Answer 1

2
\$\begingroup\$

The static variable 'ACTIVE' can not be messed with from the outside in any way, is therefore safe in the first example.

The only reason I can come up with to still warrant a change to the second snippet is for consistency and future refactors. Suppose you want to change the method where this query appears and you want to give the user the freedom to choose between ACTIVE and ARCHIVED? To prevent yourself from making a very quick change and potentially creating a vulnerability, you should possibly make a habit of escaping every variable.

(Though in the specific case of a status fields where only a specific list of constants is valid I'd definitely also validate that the input is a valid input.)

answered Oct 26, 2015 at 16:36
\$\endgroup\$

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.