Using bind variables (sometimes known as parameterization) is an important way to prevent SQL Injection attacks, and should be used as a matter of course on any internet-facing web site.

In addition, there may be performance improvements in statements executed multiple times.

Most methods that accept an SQL statement as a parameter, also accept an array of bind variables to insert into the statement.

/*
* Using a MySQL database
*
* Statement without Binding
*/
$sql = "SELECT * FROM some_table WHERE col1='A' AND col2='B' AND col3='C'";
$result = $db->execute($sql);
 
/*
* Same statement with binding
*/
$bindVars = array('A','B','C');
$sql = "SELECT * FROM some_table WHERE col1=? AND col2=? AND col3=?";
$result = $db->execute($sql,$bindVars);

Note that the number of variable in the $bindVars array must match the bind placeholders (?)