Christopher A. Watford wrote:
Prepared query handlers do the correct quotations for you, if they don't then it should not be called a prepared query. Prepared queries to type checking, cache the base query, and other goodies along with proper escaping/quoting. This is why you would use prepared queries, so you don't have to worry about escaping user input for fear of injection exploits.
Note that currently MDB2 only natively supports prepared queries in the oci8, ibase and mysqli driver. I am planning on adding native prepared query support for the pgsql driver eventually.
For all other drivers its emulated, including proper quoting of course.
As for caching prepared statements this is a tricky topic. PHP obviously has to rely on the database to do this properly for now and for example with pgsql you run into issues, because pgsql expects the middleware to keep the handle to the prepared statement.
regards, Lukas