Many mature databases support the concept of preprocessing statements (Prepared statements). What are they? You can think of them as a compiled SQL statement template that you can customize with different variable parameters. Pre-processing statements have two main advantages:
Queries need to be parsed (or prepared) only once, but can be executed multiple times using the same or different parameters. When the query is ready (Prepared), the database parses, compiles, and optimizes its plan to execute the query. For complex queries, this process can take a lot of time to slow down your application if you want to repeat many of the same queries with different parameters but with the same structure. By using a pre-processing statement you can avoid repetitive analysis, compilation, optimization of the link. Simply put, pre-processing statements use fewer resources and execute faster.
The parameters passed to the preprocessing statement do not need to use quotation marks, and the underlying driver will handle this for you. If your application exclusively uses preprocessing statements, you can be confident that no SQL injection will occur. (However, if you are still building other parts of the query with untrusted input, this is still risky)
Just because preprocessing statements are so useful, it becomes the only simulation implementation that PDO provides for a database that does not support this feature. This allows you to use a unified data access specification without having to worry about whether the database itself has this feature.
Php:pdo Prepare pretreatment