The sentences before being processed must be prepared, because in a production environment they will respond to the interactivity of the user; that is, a select, insert, update or delete will depend on the variables that the user sends:
//ejemplo
$enunciado = $conexion->prepare("SELECT * FROM ventas WHERE producto = :producto");
For the previous case, the response of the system will depend on the information sent by the user
//ejemplo
$enunciado = $conexion->prepare("SELECT * FROM ventas WHERE producto = :producto");
$ejecutar->bindParam(':producto', $producto, PDO::PARAM_STR);
$ejecutar->execute();
If you are only running tests in a location where it is not an environment
real for your application there if it is otherwise; but generally
developments go to production therefore they must pass the
sentences by the prepare method as well as identify the values that
arrive by means of the position pointers and at the end indicate the
type of data that arrives
The fact is not that it is as such an opinion of whether it is better or not, but by the fact that sentences should not only respond to op with the database but also protect the user who is using them to avoid SQL injection attacks
If you do not, you are eliminating the good practice of protecting your
SQL queries, which for any development should be
present
I advise you to keep in mind that not only do you have execute () or bindParam present, but also:
PDO :: PARAM_STR
PDO :: PARAM_INT
So that with the above at the time of doing bindParam the type of value that is happening is identified