switching to mysqli_prepared statements

[eMonk]

I want to switch to mysqli_prepared statements but have a question before I start.

 

example 1

$query = $mysqli->prepare('SELECT * FROM users WHERE username = ?');
$query->bind_param('s', $_GET['username']);
$query->execute();

example 2

$query = $mysqli->prepare("SELECT * FROM users WHERE username = 'Rick' ");
$query->execute();

Is bind_param always necessary and why, for security reasons? 

Edited August 6, 2013 by eMonk

[requinix]

Compare them fairly:

$query = $mysqli->prepare('SELECT * FROM users WHERE username = ?');
$query->bind_param('s', $_GET['username']);
$query->execute();

$query = $mysqli->prepare("SELECT * FROM users WHERE username = '" . $_GET['username'] . "' ");
$query->execute();

See the problem with #2? The username isn't escaped. Without prepared statements you'd have to escape it yourself, which requires knowing how to do that properly (which isn't complicated or anything). With prepared statements you don't have to, and in fact should not, escape anything. No hidden gotchas.

[eMonk]

Ah, I believe I understand it now.

 

The use of bind_param is for the values stored within a table.

 

Thanks!