Prepared statements are the ability to set up a statement once, and then execute it many times with different parameters. They are designed to replace building ad hoc query strings, and do so in a more secure and efficient manner.

Why Prepared Statements?

• For security and better performance.
• Prevent a very common type of vulnerability called an SQL injection attack.
• When dealing with prepared statements, you don’t need to worry about functions that escape all of the necessary trouble characters, such as the single quote, double quote, and backslash characters.
• The prepared statements executes only at initial time, so it will increase the performance. . Then if you execute the query many times, it will no longer have that overhead. This pre-parsing can lead to a speed increase if you need to run the same query many times, such as when doing many INSERT statements.
• Performance may increase is through the use of the new binary protocol that prepared statements can use. The traditional protocol in MySQL always converts everything into strings before sending them across the network.