I read on PDO and I searched on StackOverFlow about pdo and prepare statement.

Question 1

I read on PDO and I searched on StackOverFlow about pdo and prepare statement. I want to know what are/is the benefits or using the prepare statement. eg:

$sql = 'SELECT name, colour, calories FROM fruit WHERE calories < :calories AND colour = :colour';
$sth = $dbh->prepare($sql, array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY));
$sth->execute(array(':calories' => 150, ':colour' => 'red'));
$red = $sth->fetchAll();

vs

$sql = "SELECT name, colour, calories FROM fruit WHERE calories < $calories AND colour = $colour";
$result = $connection->query($query);
$row = $result->fetch(PDO::FETCH_ASSOC);

both queries will return the same result so why using the prepare, for me it looks like it’s gonna be slower since you have to execute an extra step.

thanks

Question 2

Prepared statements are:

Safer: PDO or the underlying database library will take care of escaping the bound variables for you. You will never be vulnerable to SQL injection attacks if you always use prepared statements.
(Sometimes) Faster: many databases will cache the query plan for a prepared statement and refer to the prepared statement by a symbol instead of retransmitting the entire query text. This is most noticeable if you prepare a statement only once and then reuse the prepared statement object with different variables.

Of these two, #1 is far more important and makes prepared statements indispensable! If you didn’t use prepared statements, the only sane thing would be to re-implement this feature in software. (As I’ve done several times when I was forced to use the mysql driver and couldn’t use PDO.)

Editorial Team · Answer 1 · 2026-05-27T03:30:15+00:00

Prepared statements are:

Safer: PDO or the underlying database library will take care of escaping the bound variables for you. You will never be vulnerable to SQL injection attacks if you always use prepared statements.
(Sometimes) Faster: many databases will cache the query plan for a prepared statement and refer to the prepared statement by a symbol instead of retransmitting the entire query text. This is most noticeable if you prepare a statement only once and then reuse the prepared statement object with different variables.

Of these two, #1 is far more important and makes prepared statements indispensable! If you didn’t use prepared statements, the only sane thing would be to re-implement this feature in software. (As I’ve done several times when I was forced to use the mysql driver and couldn’t use PDO.)

Editorial Team
2026-05-27T03:30:15+00:00Added an answer on May 27, 2026 at 3:30 am

Prepared statements are:

Safer: PDO or the underlying database library will take care of escaping the bound variables for you. You will never be vulnerable to SQL injection attacks if you always use prepared statements.

(Sometimes) Faster: many databases will cache the query plan for a prepared statement and refer to the prepared statement by a symbol instead of retransmitting the entire query text. This is most noticeable if you prepare a statement only once and then reuse the prepared statement object with different variables.

Of these two, #1 is far more important and makes prepared statements indispensable! If you didn’t use prepared statements, the only sane thing would be to re-implement this feature in software. (As I’ve done several times when I was forced to use the mysql driver and couldn’t use PDO.)

0

Reply

Share
Share

Share on Facebook

Share on Twitter

Share on LinkedIn

Share on WhatsApp

Report — Editorial Team, 2026-05-27T03:30:15+00:00Added an answer on May 27, 2026 at 3:30 am

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

I read on PDO and I searched on StackOverFlow about pdo and prepare statement.

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply