Question about PHP & MySQLi

[SecretKeeper]

Since I was guided here for help about coding, I have a question that I can't find an answer for:

So, I have a project in development which I don't wish to name right now, but there's been a dire question that's stopped me in my tracks.

I learnt about Prepared Statements not too long ago, and I've been going on a hunt to clear up any SQLi queries that could be rendered as "unsafe" for user input. However, one question remains: "What about queries that are stored in session variables that were extracted from the database?" By this, I mean user ID's. Do any of these need to be in a Prepped Statement or can they just go in as a normal $ variable with "real_escape_string"?

The only reason why I ask is because the code that grabs a user's friends or a stated profile's posts is all cramped into one PHP file with multiple "Post" variables to tell which query to run and the whole thing looks a mess. So if I need to use Prepped Statements, I'll have to start from scratch (Which I really don't mind. As long as I know if it's right or wrong).

(Feel free to move this if it's in the wrong place).​

 

[jamescv7]

Well much better if you are going to conduct all of them as prepared statements.

This will make the operation much optimized and prone free from security risk.

However it is up to you, usually if its only for educational purpose then an ordinary variable concept is fine. People barely knew as casual user to have cheat sheet to compromise your database.

 

[SecretKeeper]

Well much better if you are going to conduct all of them as prepared statements.

This will make the operation much optimized and prone free from security risk.

I'll probably redo the file so it's all Prepared Statements if that's what it takes. Thanks!

 

[jamescv7]

@SecretKeeper: You know if you are going to ask like in StackOverflow, DreamInCode and others, they will just recommend you to migrate to prepared statements besides on providing the actual answer to the problem.