MySQLi: query VS prepare

Question

There is something I don\'t quite understand it at all which is prepare and query in mysqli.

This one is using mysqli::query t

Answer 1

Prepared statements are preferable to plain SQL queries when you are using parameters to dynamically generate the query. In you example, your SQL contains no variables, so using a plain query or prepared statement are functionally equivalent.

When you must change the values of parameters, in the WHERE clause, for example, then prepared statements will give you added security:

...
WHERE col1 = ? AND col2 = ?

But when your query is simple and fixed, it may require less code to use $mysqli->query($sql) along with fetch_assoc(). Using direct queries rather than prepared statements is not a universally bad practice, as some might have you believe. When your query requires parameterization, or when the same query must be compiled and executed repeatedly, then you'll benefit from the prepared statement.

Answer 2

Sorry that this is not an answer, but I am not good enough to actually leave a comment.

It looks like there is a bug in your second function. Your code won't work correctly for queries that return more than one row. Shouldn't that return statement be:

while($stmt->fetch()) {

    //to dereference
    $row_copy = $parameters;
    $return_array[] = $row_copy;

}

And then the function should end with:

return $return_array;