When working with SQL databases, what are the primary benefits of using an Update statement in the backend instead of using a Prepared function?

Question

I'm trying to work with a specific database and I'm not sure why one would use an update statement rather than a prepare statement.

What is the primary difference between the two?

$sql = $conn->prepare("UPDATE credential SET nickname= ?,email= ?,address= ?,Password= ?,PhoneNumber= ? where ID=$id;");
$sql->bind_param("sssss",$input_nickname,$input_email,$input_address,$hashed_pwd,$input_phonenumber); 
$sql->execute();
$sql->close();

$sql = "UPDATE credential SET nickname='$input_nickname',email='$input_email',address='$input_address',Password='$hashed_pwd',PhoneNumber='$input_phonenumber' where ID=$id;";

score 0 · Answer 1 · answered Apr 09 '20 at 02:19

UPDATE and running a prepared statement are not mutually exclusive. Most SQL statements can be 'prepared'.

So this is not an either/or question. If you need to do an UPDATE statement, you should probably always used prepared statements.

Your second example that doesn't use prepared statement will very likely have a SQL injection-related security bug. Avoiding these security bugs is the biggest reason to use prepared statements.

When working with SQL databases, what are the primary benefits of using an Update statement in the backend instead of using a Prepared function?

1 Answers1