Do I need to bind result when fetching all results for security?

Question

I am fairly new to MySQL so my apologies if this sounds like a silly question.

When I was learning about sql security and preventing sql injection, I learnt that its better to use bindparam when fetching results for an id like this:

//Prepare Statement
$stmt = $mysqli->prepare("SELECT * FROM my_table WHERE id=?");

if ( false===$stmt ) {
  die('prepare() failed: ' . htmlspecialchars($mysqli->error));
}

$rc = $stmt->bind_param("i", $id);

if ( false===$rc ) {
  die('bind_param() failed: ' . htmlspecialchars($stmt->error));
}

$rc = $stmt->execute();

if ( false===$rc ) {
  die('execute() failed: ' . htmlspecialchars($stmt->error));
}


// Get the data result from the query. You need to bind results for each column that is called in the prepare statement above
$stmt->bind_result($col1, $col2, $col3, $col4);

/* fetch values and store them to each variables */
while ($stmt->fetch()) {
   $id = $col1;
   $abc = $col2; 
   $def = $col3; 
   $xyz = $col4;
}

$stmt->close();

$mysqli->close();

Atm, when I am fetching all results, I am using this:

$query= "SELECT * FROM my_table";  
$result=mysqli_query($connect, $query);

if (!$result)  
{  
  die('Error fetching results: ' . mysqli_error()); 
  exit();  
}

echo '<table border="1">'; // start a table tag in the HTML
//Storing the results in an Array
while ($row = mysqli_fetch_array($result))  //Creates a loop to loop through results
{  
    echo "<tr><td>" . $row['abc'] . "</td><td>" . $row['def'] . "</td><td>" . $row['xyz'] . "</td></tr>";  
}  
echo '</table>'; //Close the table in HTML

My question is:

1) For my second code, do I need to use bind_result when fetching all results for any security reasons similar to my first example?

2) If yes, how can I use prepare statement with bind_result when I am fetching all results and not using $id?

3) If I use the second example the way it is for fetching all results, are there any security issues?

Can you help me understand this please...

Answer 1

1) For my second code, do I need to use bind_result when fetching all results for any security reasons similar to my first example?

No. bind_result() has nothing to do with security. You can use whatever method you wish with any query.

2) If yes, how can I use prepare statement with bind_result when I am fetching all results and not using $id?

Exactly the same way as with any other query. There is no difference actually. and having any particular variable doesn't matter at all.

3) If I use the second example the way it is for fetching all results, are there any security issues?

There is always a security issue. But none from the area of SQL injection in this snippet. You may wish to check for XSS issues.

Just to clarify your ambiguous question:
In case you are confusing bind_result with bind_param, here is a rule of thumb: you have to use a placeholder (and thus bind_param()) for the every variable that is going into query. Always. No exceptions.

From this rule you can simply tell if you need to use prepare() or not in any particular case.

Also, there is no need for such a long and windy code in the first example.

$stmt = $mysqli->prepare("SELECT * FROM my_table WHERE id=?");
$rc = $stmt->bind_param("i", $id);
$rc = $stmt->execute();
$stmt->bind_result($id, $abc, $def, $xyz);
while ($stmt->fetch()) {
  echo $id;
}

Just set mysqli in exception mode before connect:

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);