I know from a lot of googling and forum reading what Prepared statements do, but I would like to know "how" they do it... "How" it is more secure than say, just making sure you escape all your inputs and use correct quotes, etc..
Let's say you do something like:
$st = $db->prepare("SELECT * FROM `table` WHERE `id` = :id"); $st->bindParam(':id', $_POST['id']); $st->execute();
Or whatever query, doesn't matter for the sake of example.
So my question is...what does it actually do that is more secure than doing it yourself? Surely towards the endpoint of binding the parameter and executing the query it still has to actually build the sql query with the actual value (or parameter) in it (which could contain an injection)?
This is what is confusing me...
Or does it literally just do the escaping and such for you and nothing else? So that you don't have to rely on the user to remember to do it every time?
I could be way off, but I was assuming it was basically doing something like:
SET @id = "whatever"; SELECT * FROM `test` WHERE `id` = @id
And just ensuring the value in the @id variable is properly escaped and quoted...