bind_param() only necessary on user-inputted values or all?

Question

I\'ve been reading up on SQL injections and I couldn\'t find an answer to this question.

I understand if I a query like this

prepare(\"SELECT id, foo, ba         


        

Answer 1

If you are not running your query on user-inputed values, then use the query() method instead. Don't use bindParams() and execute() since you are not working with prepare().

query(SELECT username, foo, bar from table where id = '$id'");