DB Class Prepare Method

[Sim]

How many MODDers here are opposed or against or not opposed and not against doing this?

        $insert = $this->db->prepare ("INSERT INTO
            tradeItems
            (
              TI_tradeID,
              TI_userID,
              TI_invIDs
            )
            VALUES
            (
             '" . $ID . "',
             '" . $this->user->info->U_id . "',
             '" . $invIDs . "'
            )"
            );
            
        $insert->execute();

 

Instead of binding every field.

$insert->bindData(":ID", $ID);

ECT, ect

[Magictallguy]

There's very little point in using prepared statements if you're not preparing them.
I'm definitely against this method

[Dave]

I agree with @Magictallguy if you aren't using the prepared statements then just do a straight up query.

I typically don't prepare "safe" variables, like things directly pulled out of a database which have been correctly cast, but it's good practice to prepare everything just in case something slips through the gaps 🙂

[Sim]

I'm not familiar with PDO. Prepare secures data while query just queries whatever data?

[Magictallguy]

No. Prepared Statements do not secure your data any more than a standard query would. It is on the developer (namely you) to use the functionality as intended.
The most obvious difference (when coding) between PDO and, say, MySQLi is that using Prepared Statements negates the requirement for escaping data.
Another benefit of PDO is that it isn't limited to the MySQL(i) driver; it can support 12 different DB drivers (at the time of writing) - which makes it highly adaptable and extensible.

Use either properly and you should be good to go.