garaged wrote:
Prepared query handlers do the correct quotations for you, if they don't then it should not be called a prepared query. Prepared queries to type checking, cache the base query, and other goodies along with proper escaping/quoting. This is why you would use prepared queries, so you don't have to worry about escaping user input for fear of injection exploits.
Do you think is cleaner or easy to understand to do prepared queries vs correct quotation??
You have to remember exactly the correct sequence of parameters for every query. I'm not that good with memory, but I migth be one in a million.
Thats why I mentioned that MDB2 supports the oracle style :name prepared statements. Then you do not have to remember the order and you can directly reference things by their name:
See my slides on database abstraction in MDB2 and PDO for details: http://www.backendmedia.com/MDB2/database_abstraction.pdf
regards, Lukas