The results are equivalent both so:
$safeuser = $mysqli -> real_escape_string($user );
$safepassword = $mysqli -> real_escape_string($password);
$mysqli->query( "INSERT INTO usuarios ( nome, senha ) VALUES ( '$safeuser','$safepassword' )" );
... as well:
$stmt = $mysqli->prepare( 'INSERT INTO usuarios ( nome, senha ) VALUES ( ?, ? )' );
$stmt->bind_param("ss", $user, $password );
$stmt->execute();
However, prepared statements have some advantages:
- The original query becomes much more readable (just like the rest of the code).
- You do not need to deal with the quotation marks in your query, regardless of the parameter type.
- You have no danger of forgetting to handle the variables.
- You do not need to create intermediate variables or change the originals to insert into the database;
- This is not your case, but in situations where the query is going to be executed multiple times just by changing values, the MySQL connector will only send the updated data, in query and redo planning (which is the great differential of doing native binding by the server).