Unless your variables are coming from trusted sources or you're doing some serious sanitization prior to using them in your SQL, you should be using placeholders anyway. Don't let the user stick a single-quote in your input and let them inject their own SQL into your statement. Placeholders/bind variables are secure, and allow your SQL to be re-used, so it's faster and more efficient. Plus, it makes your code more readable. Just some tips, good luck.