about using variables in a query

[alexandre]

so this is not an issue or anything but i was just wondering a bit about the use of variables in a query. 

with php i thought i had to use the bind parameter to be able to bind a variable value in the query. somehow i saw this in some code example :

 $query = "SELECT * FROM student LIMIT $start_from, $per_page_record";

and is not using any binding parameter, so my question is , what is the difference of use between using bind_param and directly using variables in the query , personaly i never was able to put a variable just like that in a query not that i tried a lot but once i found the bind_param function i only used this method.

Edited November 12, 2022 by alexandre

[mac_gyver]

the main point of using a prepared query, e.g. with place-holders in the sql statement where the data values are to be acted upon, then supply the actual data values when the query is executed, is to prevent any sql special characters in a data value from being able to break the sql query syntax, which is how sql injection is accomplished, by separating the parsing of the sql query syntax from the evaluation of the data values. a secondary point is they provide a performance gain (~5%) in the rare cases when you execute the same query within one instance of your script with different data values, since the sql query statement is only sent to the database server once, where it is parsed and its execution is planned only once.

[alexandre]

ok so in other words it is again people showing how to code uncovered for sql injection. but i understand now , thank you.