When To Use Prepared Statements?

[xterminal]

I've been going through the book wondering about when to use prepared statements. Of course, the conventional wisdom is "ALWAYS use prepared statements". I assumed when it wasn't done here either it wasn't being done because the topic hadn't been introduced yet (in the earlier chapters) or that it wasn't there because the author was focusing on another aspect of the code he was illustrating. And I was very happy with that hypothesis until I got to 17.10, where a regular mysqli_query($dbc, $q) statement is followed just a few lines later by a prepared statement. This tells me that there was a reason for using one type on line 23 and one type on line 41.

 

Which, of course, brings me to the question: given that both involve sensitive data one would want (one assumes) to try and make as hard to hack as possible, why use the different methods?

 

Or am I thinking about this all wrong? (I'm a database guy, so I tend to think from the data side rather than the code side.)

[Larry]

Not so sure about that conventional wisdom! As far as I'm concerned, anything that starts with "ALWAYS" isn't that wise. Some people prefer prepared statements and others don't. I would never say prepared statements are better than standard queries or vice versa. Each is better in some situations. Both are equally secure, in my opinion (if you take the right steps).

 

Once you set aside the security question, I think of prepared statements as being better for situations where the same query is run multiple times in a script. That's why line 41 uses them for that query but line 23 uses a standard query (because there's no benefit gained by using a prepared statement).