Very briefly: you insert not-quoted question marks into your SQL syntax. Then, during the execute call, you provide a corresponding number of values. There are three really good reasons to do this:
-
You can prepare a query one time, then execute against that statement-handle as often as you like, substituting appropriate values each time.
-
“SQL insertion” becomes impossible. It no longer matters what the inserted parameter-text might contain, because the SQL parser never considers the inserted parameters as “possibly being SQL.” They are not. Period.
-
Especially in high-volume situations, it is noticeably more efficient. prepare can be a fairly expensive operation, which becomes an issue if you have to do it a few hundred thousand times.