<div>
<div class="content wysiwyg-content">
I just want to select pretty much all records from a particular table. There is no WHERE clause and I don't think I have a place for the &quot;?&quot; So, is this still safe from SQL injection or do I have to change something?<br />
<br />

<pre><code id="code-10-28975195-1">$stmt = $link-&gt;prepare(&quot;SELECT `contact_name`, `contact_email`, `contact_message`, `contact_date` FROM `contact_form` ORDER BY `contact_id` DESC&quot;);
$stmt-&gt;execute();
$result = $stmt-&gt;get_result();
$numRows = $result-&gt;num_rows;
if($numRows &gt; 0) {
	
		while($row = $result-&gt;fetch_assoc()){
		$db_name = clean_user_input($row['contact_name']);
		$db_email = filter_var($row['contact_email'], FILTER_SANITIZE_EMAIL);
		$db_message = clean_user_input($row['contact_message']);
		$db_date = clean_user_input($row['contact_date']);
	}
}</code></pre>
</div>
</div>


I just want to select pretty much all records from a particular table. There is no WHERE clause and I don't think I have a place for the "?" So, is this still safe from SQL injection or do I have to change something?

(CODE)

is a prepared statement still safe from Sql injection if not using ?

PHP is a widely-used server-side scripting language especially suited for web development, powering tens of millions of sites from Facebook to personal WordPress blogs. PHP is often paired with the MySQL relational database, but includes support for most other mainstream databases. By utilizing different Server APIs, PHP can work on many different web servers as a server-side scripting language.

MySQL is an open source, relational database management system that runs as a server providing multi-user access to a number of databases. Acquired by Oracle in 2009, it is frequently used in combination with PHP installations, powering most of the WordPress installations.