Crazy Horse
asked on
is a prepared statement still safe from Sql injection if not using ?
I just want to select pretty much all records from a particular table. There is no WHERE clause and I don't think I have a place for the "?" So, is this still safe from SQL injection or do I have to change something?
$stmt = $link->prepare("SELECT `contact_name`, `contact_email`, `contact_message`, `contact_date` FROM `contact_form` ORDER BY `contact_id` DESC");
$stmt->execute();
$result = $stmt->get_result();
$numRows = $result->num_rows;
if($numRows > 0) {
while($row = $result->fetch_assoc()){
$db_name = clean_user_input($row['contact_name']);
$db_email = filter_var($row['contact_email'], FILTER_SANITIZE_EMAIL);
$db_message = clean_user_input($row['contact_message']);
$db_date = clean_user_input($row['contact_date']);
}
}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You are welcome.
ASKER