Difference between query () and execute () [duplicate]

  

When we use the mysqli or PDO interfaces; we can work   the queries of the following modes

EXAMPLE

$data = $conexion->query("SELECT * FROM posts");

  

PDO EXAMPLE

$id = 9;
$data = $conexion->prepare("SELECT * FROM posts WHERE id = :id");
$data->execute([":id" => $id]);
$resultado = $data->fetch(PDO_FETCH_ASSOC);

  

MYSQLI EXAMPLE

$id = 12;
$data = $conexion->prepare("SELECT * FROM posts WHERE id = ?");
$data->bind_param("i", $id);
$data->execute();

  

In either case mysqli or PDO at the time of use   prepared sentences; we need to make use of: name markers    :nombre or placeholders ? to indicate the data   dynamics that are going to be processed in the query

The way you are using it, yes, the result is the same.

BUT! No, they are not and they do not work exactly the same.

Prepared sentences serve to avoid the SQL injection automatically escaping the linked parameters and at the same time" optimize "the query if it needs to be done repeatedly.

Suppose the following case:

<?php
// CUIDADO: esto elimina la tabla EJ_TABLA 
$Id = "1'; DROP TABLE EJ_TABLA; SELECT * FROM EJ_TABLA WHERE ID='1";

// El resultado de hacer
$base->query("DELETE FROM EJ_TABLA WHERE ID='$Id'");

// Seria equivalente a
$base->query("DELETE FROM EJ_TABLA WHERE ID='1'; DROP TABLE EJ_TABLA; SELECT * FROM EJ_TABLA WHERE ID='1'");

// Lo cual claramente no es el resultado esperado

//----------

// En cambio si se usa correctamente (y suponiendo que estas usando MySQLi)
$stmt = $base->prepare("DELETE FROM EJ_TABLA WHERE ID=?");
$stmt->bind_param('s', $Id);
$stmt->execute();

// Seria equivalente a 

$base->prepare("DELETE FROM EJ_TABLA WHERE ID='1\'; DROP TABLE EJ_TABLA; SELECT * FROM EJ_TABLA WHERE ID=\'1'")->execute();

// Si prestas atención, las comillas fueron escapadas, 
// se evito la inyección SQL y nada malo habrá pasado.