The simpliest way to determine if you need prepared statements is
- Does my query require or use user supplied inputs?
- Does my query use input from a
URL source? (Still pertains) to the first bulleted question.
- Does my query use the
- Are these queries being escaped?
If the answer is no above all those, then you aren't required to use prepared statements. But if just 1 bullet is a "yes" for the above, you need to use prepared statements.
I usually look at the query. If my query uses a
WHERE clause or a
SET clause, I use prepared statements. It's also not hard to prepare a query as well. It is way more simple than having to write 50 lines with
I found this off another forum, but is a really good source to reference when questioning if you need prepared statements or not.