why MySQLi prepared statements?

Question

What are the advantages of using prepared statements with MySQLi?

If the only purpose is to secure the query, isn\'t it better to clean the query using something li

Answer 1

There are several advantages:

• Security - you don't need to escape anything, you just need to bind the parameters.
• Correctness - If you write WHERE $x = 4 you will get a syntax error if $x is null, but WHERE ? = 4 will work.
• Performance - prepared queries can be reused with different parameters, saving rebuilding the string, and also reparsing on the server.
• Maintainability - the code is much easier to read. When concatenating strings to create the SQL it's easy to end up with lots of small pieces of SQL and PHP code intermingled. Using prepared statements encourages you to separate the SQL from determining the values of the variables.