I understand that parameterized queries are essential when user-submitted data is on the prowl, however my question is whether this applies to user-TAMPERABLE data?
So if we have an url such as ".../?id=1", would it be necessary to prepare any statement using $id or would URL encoding remove the threat?
Joe
Why wouldn't you use prepared statements / paramaterised queries for all situations where there is external/variable input?
The only queries you can trust are those where every element is hardcoded, or derived from hardcoded elements within your application.
Do not even trust data that you have pulled from your own database. This counts as external / variable data. A sophisticated attack can use more vectors than a simple "modifying a query string parameter".
I think for the tiny amount of extra code overhead, it is completely worth the peace of mind you will get from knowing your queries are protected.
Url encoding would not remove the threat.
Anything that is touchable by the user should be treated as unsafe and a potential threat. You query by id as such not validating it and just shoving it straight into a query can still cause the same injection problems as not using PDO at all.