0
$query  = $this->db->prepare("INSERT INTO `images` (`anunt`, `image_location`) VALUES(?, ?)");

        $query->bindValue(1, $iddd);
        $query->bindValue(2, $image_location);


        try{
        $query->execute();

or this

$ret = sql_query("INSERT INTO images (anunt, image_location) VALUES ('" .$iddd. "', '" .$image_location. "')");

Or another way maybe? What advantages are with the bind one? I read something that it's hard to sql inject.

Martzy
  • 85
  • 12
  • Read about "sql injection". There are a lot of resources already written on the topic. Also, try searching SO for "bind variables sql injection". You should find quite a few relevant answers. – Cully May 15 '14 at 01:15
  • Some here will argue that you should _always_ use prepared statements. I don't subscribe to that view - I believe in using the appropriate tool for the job, which isn't always prepared statements. The caveat is that prepared statements aren't susceptible to SQL injection. I argue that other methods can be secured against SQL inection too. –  May 15 '14 at 01:18
  • This is not a duplicate question to http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php. This question specifically asks for the advantages of prepared statements, which include more than SQL injection prevention – compid May 15 '14 at 01:21
  • 1
    ^ Exactly, I did not ask what to do to prevent sql injection, I said that i read it's an advantage, that's what i know not what i want to find. – Martzy May 15 '14 at 01:34

1 Answers1

1

Databse pre-optimzations

When you initialize a prepared statement, the DBMS actually pre-optimizes the database and compiles your query. This would be useful if you plan to make multiple bound queries with the same prepared statement.

SQL Injection prevention

The PHP SQL drivers will escape any literals inside a bound value, to prevent SQL injection.

compid
  • 1,313
  • 9
  • 15