Paul M Foster <paulf@xxxxxxxxxxxxxxxxx> writes: > On Tue, Jul 14, 2020 at 06:09:38PM +0300, Ashkar Dev wrote: > >> Thanks, >> do you know when it is required to use (prepare) function? >> > > The prepare() function is not required, but advised. You feed the > prepare function a SQL statement with placemarkers (like '?') > substituted for the values. This sets up the query internally in the PDO > object. Then you run execute() with an array of the values to > substitute. This does two things: it quotes the fields, if they are of > the string variety, and it eliminates embedded SQL code exploits which > might be in your fields. Like: > > $pdo_result = $pdo_object->prepare('INSERT INTO fruit (sour, sweet) > VALUES (?, ?)'); > $fruit_array = ['apple', 'pear']; > $pdo_result->execute($fruit_array); > > All this seems kinda klunky to me, so I wrote a wrapper class around PDO > to hide all the internal details. But this is what it does internally. > > Somebody correct me if I'm wrong here. I'm doing this from memory. >From what I remember reading, the prepare statement is separated from the query, so no injections possible. The statement is prepared on the server, so similar queries using the same prepare can be executed very efficiently. -- Asahi Net, Inc. Tokyo, Japan