MySQL PHP PDO prepared statements - performance issues vs security

Question

I am thinking of rewriting some open-source application for my purposes to PDO and transactions using InnoDB (mysql_query and MyISAM now).

My question is: Which case

Answer 1

My question is: Which cases are reasonable for using prepared statements?

All of them. The community is openly-opposed to the usage of mysql_* functions.

Note: Suggested alternatives

Use of this extension is discouraged. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API for more information.

Alternatives to this function include:

• mysqli_connect()
• PDO::__construct()

source

But thinking it over and over it comes to mind that having to prepare the statement every time and then use it once.. It doesn't make sense

You're trading in a Geo for a Jaguar and you're complaining that you don't like the Jaguar because you don't always use the seat-heaters. You don't have to be consistently using every function of a library to mean it's good.

I found there is this mysql_real_escape called $pdo->quote as well for the purpose of single query. Why not to use this? Why to bother with preparing?

If you are using this function to build SQL statements, you are strongly recommended to use PDO::prepare() to prepare SQL statements with bound parameters instead of using PDO::quote() to interpolate user input into an SQL statement. Prepared statements with bound parameters are not only more portable, more convenient, immune to SQL injection, but are often much faster to execute than interpolated queries, as both the server and client side can cache a compiled form of the query. source