Search code examples
phpmysqlpdoprepared-statementparameterized-query

Parameterized PDO statements: should trusted, constant values be parameterized?


SELECT name FROM customers WHERE location = ? AND active = '1'

In this query, the value for location would come from an untrusted source, but the value for active is going to always be = 1. I'm using PDO for php/mysql.

Should I also parameterize the value for active?
If active wasn't a constant but came from a changing and trusted source, should I still parameterize? (ie. for caching benefits?)


Solution

  • No, there is no benefit to parameterizing constant values.

    The purpose of parameterizing is to allow application data to be combined with SQL expressions safely and repeatedly. The safely part is to prevent SQL injection. The repeatedly part is so you can execute a prepared query again with different values, possibly relieving the RDBMS from having to re-parse and re-optimize the query.

    Neither of these is an issue if you always use the same constant value in your query. You are not at risk of SQL injection from a hardcoded value, and you can re-execute the query if you need to, without re-parsing.

    There's no caching of parameters going on. If anything, using prepared statements makes it harder for MySQL to cache the results (i.e. the query cache has limitation on caching results from prepared statements). But once you use prepared statements, it doesn't matter if it has one parameter versus two or more.


    I do wonder why you put the integer in quotes. I see that a lot, but I have no idea how that got started or who thought it was necessary.