xterminal

I've been going through the book wondering about when to use prepared statements. Of course, the conventional wisdom is "ALWAYS use prepared statements". I assumed when it wasn't done here either it wasn't being done because the topic hadn't been introduced yet (in the earlier chapters) or that it wasn't there because the author was focusing on another aspect of the code he was illustrating. And I was very happy with that hypothesis until I got to 17.10, where a regular mysqli_query($dbc, $q) statement is followed just a few lines later by a prepared statement. This tells me that there was a reason for using one type on line 23 and one type on line 41. Which, of course, brings me to the question: given that both involve sensitive data one would want (one assumes) to try and make as hard to hack as possible, why use the different methods? Or am I thinking about this all wrong? (I'm a database guy, so I tend to think from the data side rather than the code side.)