Advantages of using prepared statements over normal mysqli statements?

I have done my research and have decided to use prepared statements in my queries, all I ask if there is anything I should开发者_StackOverflow中文版 know, good or bad about switching to normal mysqli queries to prepared statements.

Also I don't understand the logic how the need for escaping bad characters is not needed?

Escaping bad characters is still needed, but the library does it automatically for all parameters you bind. It's just slightly more convenient, and prevents the programmer from forgetting to sanitize a value.

However, note that this automatism is limited to parameters!

The following query is safe, because bind_param() takes care of escaping:

$code = $_GET["code"];
$name= $_GET["name"];
$percentage= $_GET["percentage"];

$stmt = $mysqli->prepare("INSERT INTO items VALUES (?, ?, ?)");
$stmt->bind_param('iss', code, $name, $percentage);
$stmt->execute();

the following query is unsafe, because anything you put directly into the query will not be escaped automatically:

$tablename = $_GET["prefix"]."_items";  
$code = $_GET["code"];
$name= $_GET["name"];
$percentage= $_GET["percentage"];

                                    ---- UNSAFE! ----
$stmt = $mysqli->prepare("INSERT INTO `$tablename` VALUES (?, ?, ?)");
$stmt->bind_param('iss', $code, $name, $percentage);
$stmt->execute();

that said, one shouldn't be using dynamic table names like shown in this example anyway. But the point stands: Be careful, even with parametrized queries!

The only downside I can think of is that you can't see the final query any more for debugging (because it gets assembled only on server side).

There are at least two advantages :

• You don't have to deal with escaping values : it's done automatically (when using bound parameters, of course)
• The statement is sent to the SQL server, prepared only once ; and, then, can be executed several times -- which is great for performances (the statement is parsed only once, even if executed lots of times)

1. If you use prepared statements with placeholders (? unnamed, or :name named) the values you insert there are automatically quoted.
2. Prepared statements get pre-compiled by the dbms-engine. So the query is only parsed once and on later calls it just replace the placeholders with the values.

Most people do confuse prepared statements with placeholders.

It's general idea of using placeholders is really great, while prepared statements is just a subset of placeholders with limited functionality.

Placeholders are great because:

• they are safer because they do all the proper formatting (not silly "escaping"!)
• they are easier to use because they do all the proper formatting automatically.
• they are convenient as they do all the proper formatting only on the value that goes right into query, but not on the source variable.

As for the performance issues everyone is talking about, most of time prepared statements are slower than regular query. However the difference going to be unnoticeable in both cases.