which is faster to :
1.
$name = $sql->real_escape_string($_POST['name']);
$age = $sql->real_escape_string($_POST['age']);
$email = $sql->real_escape_string($_POST['email']);
$query = "INSERT INTO `tablename` VALUES ('$name','$age','$email');";
$sql->query($query) or die($query.'<br />'.$sql->error);
2.
$name = $_POST['name'];
$age = $_POST['age'];
$email = $_POST['email'];
$query = $sql->prepare("INSERT INTO `tablename` VALUES ('?','?','?');");
$query->bind_param("sis",$name,$age,$email);
$query->execute();
when using prepare and bind param you are sending more request to mysql database which will take more time , because there are more requests, and each request has it's connection time .
that's true if mysql database are not located in the localhost server.
is this statement correct ? thanks
The actual purpose to use a prepared statement in sql is to cut the cost of processing queries; NOT to separate data from query. That's how it's being used w/ php NOW, not how it was designed to be used in the first place. With SQL you cut the cost of executing multiple similar queries down by using a prepared statement.. Doing so cuts out the parsing, validation and most often generates an execution plan for said query up front. Which is why they run faster in a loop, than their IMMEDIATE Query cousins do. Do not assume that just because someone uses php and this function this way does not mean that it is THE way, or only way to do it. Although it is more secure than general queries but they are also more limited in what they can do or more precisely how you can go about doing it.
I think below ref link will be useful to you: http://code.tutsplus.com/tutorials/pdo-vs-mysqli-which-should-you-use--net-24059