select * from table where col_name between 10 and 20;
select * from table where col_name between 30 and 40;
select * from table where col_name between 50 and 60;
you can’t. MySQL can’t work with input arrays. if you want a single query with those conditions, you need to create the appropriate where clause for it. query builders (like DBAL) make that considerably easier than doing it manually.
I don’t think he meant that using mysqli was a security hole, just that not using prepared statements is less secure than using them. Although if all the incoming numbers are hard-coded as in your example, it’s hard to see where a security issue would occur. The point is that if there’s any chance your query will use parameters that can be supplied externally (for example via $_GET or $_POST) then prepared statements help to secure things that just appending text does not.
But going backwards to old-style mysql_ calls would be even worse.
It wouldn’t in that particular instance - I was just wondering why when @ahundiak had already given the solution using prepare that @neha_k went to all the trouble of converting it back to use query.