I've read a book about PHP & MySQL. prepared statement use binary protocol, but mysqli lacks this feature. Also I read that prepared statements can be cached (their execution plan) and are faster than mysqli_query and of course safer? when should we use prepared statements and when mysqli_query?
EDIT
Let's asume I have the below query:
echo "<table>";
echo "<tr class ='tablehead'><td>Name</td><td>Location</td><td>Review</td><td>Image</td> <td>Thumb</td></tr>";
while ($row = mysql_fetch_array($query))
{
echo "<tr>";
echo "<td>" . $row['user_fname'] . "</td>";
echo "<td>" . $row['user_location'] . "</td>";
echo "<td>" . $row['user_review'] . "</td>";
echo "<td>" . $row['user_image'] . "</td>";
echo "<td>" . $row['user_thumb'] . "</td>";
echo "</tr>";
}
echo "</table>";
Which approach is the best here?
Prepared statements have some advantages, one important of them being to be much more foolproof against SQL injection bugs. I consider this to be their biggest advantage.
Concerning performance, one has to think about the costs of SQL parsing, query plan creation and result fetch phase vs. the cost of query execution: If I/O on the latter is dominating (as it often is), you gain very little from prepared staements or mysqli.
For simple repeating queries - as often used in the simpler part of webapps - the MySQL query cache works for queries with the exact same and complete SQL text, thus prepared queries will not make use of it. From my experience, this can more than negate any performance advantage of prepared queries.