In magento how do I write prepared statements using core_resource?

Question

I am writing my custom update queries like:

$upd = Mage::getSingleton('core/resource')->getConnection('core_write')->query($qry);

But with this, I am basically writing insecure normal sql queries. What can I change in that code above, to use prepared statements?

Answer 1

If you want to bind parameters which is what I think you mean, you can do this as you would normally with PDO and then pass in an array of parameters as your second argument to the query method.

See this similar question: Using Magento Methods to write Insert Queries with care for SQL Injection