troubleshooting Question

is a prepared statement still safe from Sql injection if not using ?

Avatar of Crazy Horse
Crazy HorseFlag for South Africa asked on
PHPMySQL Server
3 Comments1 Solution89 ViewsLast Modified:
I just want to select pretty much all records from a particular table. There is no WHERE clause and I don't think I have a place for the "?" So, is this still safe from SQL injection or do I have to change something?

$stmt = $link->prepare("SELECT `contact_name`, `contact_email`, `contact_message`, `contact_date` FROM `contact_form` ORDER BY `contact_id` DESC");
$stmt->execute();
$result = $stmt->get_result();
$numRows = $result->num_rows;
if($numRows > 0) {
	
		while($row = $result->fetch_assoc()){
		$db_name = clean_user_input($row['contact_name']);
		$db_email = filter_var($row['contact_email'], FILTER_SANITIZE_EMAIL);
		$db_message = clean_user_input($row['contact_message']);
		$db_date = clean_user_input($row['contact_date']);
	}
}
ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 1 Answer and 3 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros