mysql - SQL injection on fixed value? -
i'm aware if you're inserting variable, use mysqli_real_escape_string. but, if i'm inserting fixed value not variable, need use function? for example, syntax below. insert name variable, , value '1' status column. safe avoid sql injection column status? since not variable. "insert customer(name, status) values ('".mysqli_real_escape_string($conn, $name) ."', '1')"; when using mysqli, safest use prepared statements: $stmt=$mysqli->prepare("insert customer(name, status) values (?, '1')"; $stmt->bind_param("s", $name); (see http://php.net/manual/en/mysqli.quickstart.prepared-statements.php more detailed , working code). in can leave static values is, nobody can replace those. can alter table: alter table customer alter column status default '1'; then not have set longer.