Course: Simple PHP Login System, Question: Prepared Statement without Parameters? For: Ben Falk

[Drew2]

I am pouring over the "simple" php login system code for Ben Falk's tutorial.  There is one line of code that I cannot make sense of.  After reading several sources online about prepared statements, I *only* ever see them with parameters (e.g. ?).  Yet, in Ben's tutorial, there is a prepared statement without parameters in file register.php:

// create select options
    $select = '<option value="">Select an option</option>';
    $stmt = $mysqli->prepare("SELECT id, name FROM permissions");
    $stmt->execute();
    $stmt->bind_result($id, $name); // for more information, see http://www.php.net/manual/en/mysqli-stmt.bind-result.php
    while ($stmt->fetch())
    {
        $select .= "<option value='" . $id . "'";
        if ($input['type'] == $id) { $select .= "selected='selected'"; }
        $select .= ">" . $name . "</option>";

Why aren't there parameters (e.g. ? ?) in the prepare statement?  Isn't that dangerous?

Thanks!

Andrew

Edit: 10.23.2020 - The more I look at the code and think about it, I think it is actually harmless.  The drop-down box does not allow users to enter in information, only select it.  So, the information being passed to the database couldn't be (for the drop-down box) anything but what is already in the box.  Yet, I still find it curious why we are using the prepare statement at all.  Why not just mysqli_query(.....)?

Edited October 23, 2020 by Drew2

[fra168nk]

Quote

Why aren't there parameters (e.g. ? ?)

In my understanding these "?" symbols are only used when there is user input. 

[Drew2]

Thanks fra168nk!  I came to that conclusion as well.