Using PREPARE command(SQL) vs PDO or mysqli function

I develop web applications using PHP and use MySQL as the database. I am trying to understand the usage of prepared statements and am just taking my first steps.

As I understand it, prepared statements are primarily to:

1. Increase the efficiency of the query(pre-par开发者_开发知识库sing, cached execution plan, binary data transfer between client and server)

2. Ensure protection from code injection attacks (not entirely clear on this, but I think I have a basic understanding)

(may be there are other uses as well)

The question is,

why not just use the PREPARE statement that MySQL provides and make your prepared statements before hand and then use those in your PHP application, either PDO or mysqli? Better yet, make stored procedures using these prepared statements and expose only those to the PHP programmers?

This way, the actual burden of making the correct queries is separated / handled by the database programmer. PHP programmer can completely focus only on the application implementation and optimization.

I don't foresee any changes in the database that I would be using anytime soon. MySQL meets all the requirements. But just to keep my application clean and DB agnostic, I could use PDO. Or stick to procedural coding and do mysqli

Is this a valid / tried and tested approach to go about building an application?

Thanks

The result of the PREPARE statement is somewhat special and is not returnable to the user. You can use it by storing in a variable of course in MySQL. But, that's not standard. MySQL gives you APIs so that the PDO driver utilizes them and you can write DB agnostic code. I see totally no reason not to do that. Among the many things using PDO I particularly like DBTNG (Drupal 7 DB layer spinned off) because I had a part in writing it :) and idiorm.