Is It Okay To Put Some Values Directly Into an SQL Query?

If you've been looking into how to write database code in PHP the "right" way, you probably know that you want to be using prepared statements.

However, with all the (understandable) focus most resources put on using parameters instead of just putting your values into the string, you might be confused as to whether you're allowed to put values you know won't change into the query string, like for a LIMIT clause:

$db->prepare('SELECT * FROM fruit WHERE name = :name LIMIT 1');

The answer to this is: yes, you can!

The reason it's important for most values in queries like this to be parameters is to avoid putting user input directly into the query, which would open you up to SQL injection. However, if you know a value is just going to be a constant like in this example, it's fine to put it directly in the query.