Difference Between PDO / Prepared Statement - PHP/MySQL

Question

I tried Google to find any disadvantage but did not find any !
I'll be glad if anyone share some thing on this topic !
Advantage/ disadvantage of PDO and Prepared Statement

Edit 2 :

I think everyone want to say Prepared Statement is better than PDO ?
Am i right ?

Answer 1

The real big advantage of prepared statements is that the parameters passed in to the ? are checked for validity. So SQL injection attacks are harder than if you create your sql something like this

$SQL = "INSERT INTO table VALUES('" & $stringfromForm & "');";

as if somecone could set up enter the following into the form

x'); INSERT INTO someothertable VALUES ('rubbish

then you could be in trouble

Answer 2

The major disadvantage to PDO will be it takes a bit more querying time (I cannot "prove" this so don't take it as fact just what I have noticed / read), which is well less then a second. But if you need that extra less then a second mysqli offers prepared statements like PDO and I believe works a bit quicker given it is set for one database and not many.

It is more code, but as nikic stated, use a wrapper class to setup your statements so your code can look something like:

$db->fetchAll('SELECT * FROM table WHERE name = ?', $name);

Where fetchAll is a custom function you write to handle the binding of the params etc.

Which would I use? mysqli or PDO (PDO due to its versatility personally). MySQL (not mysqli) is kind of outdated, and in the end you could be writing a lot more code using MySQL in that you always have to filter the input (as in escape to prevent SQL injections, it will not validate what should be put in there) before putting it into the database. Using prepared statements, the filtering is all done for you and the chance for an Injection is very low as long as it is used properly.