mysql – Using parametrized queries in PHP

I am currently developing a Slack app in PHP.
I’m trying to make the app as secure as possible, that’s for sure.
So far, I have done the following:

  1. Verified the requests using signing secrets
  2. Making sure the requests are less than 5min old (thinking of shortening this time)
  3. In the few cases where there is user input, that input has been checked against a whitelist.

Now I’m here asking a question because it has come to the part of using SQL. I am somewhat familiar with basic SQL (INSERT, SELECT, DELETE, UPDATE, etc.) and so far I was simply putting the user input after being checked. I did some research about parametrized queries and I saw the following points:


  • Huge improvement in security (since the parameters get sent separately to the query; apparently this allows no chance for SQL injection.
  • Speed increase (since you’re only sending the parameters to the query instead of a fully formed query, it is faster).


  • If you’re only running the query once, it doesn’t provide much speed benefit (which applies to my case).
  • Doesn’t support dinamically built queries (I’m not sure if this applies to me, but what I’m doing is running a specific query depending on the user who calls my app). Further clarification at the end.

Also, in some of the queries I have been using there are variables which are sent as part of the POST request.
For instance, this piece of code:

$user_id = $_POST('user_id');
$sql = "SELECT * FROM table_name WHERE UserID = '". $user_id . "'";
{...} // Rest of code to connect to the database, execute the query and the like

My question is: should I parametrize SQL queries when the variable is not dependant on user input, but it’s not fixed?

In my job there are several positions, and what I am developing is an app for is to help the different people find who is available to give them an off day. But for instance, people who are an “officer” can’t substitute a “manager”, if you understand my example. However, there is an intermediate role, who can be both a “manager” and “officer”. The role of each user is determined by higher ups, all I’m doing is storing those roles and showing certain info depending on which role you have.