I learned in school to do something like the below to insert data into SQL via $_POSTed form data.
$title = mysql_escape_string($_POST["newstitle"]);
$body = mysql_escape_string($_POST["newsbody"]);
$addnews = $db->query("
INSERT INTO news
VALUES (CURRENT_DATE, '$body', '$title', '')
");
However, it was fairly recently I was told I should be using the below instead:
$addnews = $db->prepare("
INSERT INTO news
VALUES (CURRENT_DATE, :body, :title, '')
");
$addnews->execute(array(
':body' => $_POST["newsbody"],
':title' => $_POST["newstitle"]));
What benefit does the second snippet of code offer? My professor in the aforementioned course was very traditional and I imagine was teaching an archaic way of doing things. He did use a lot of PDO, but never for the above example. And yes, I know mysql_escape_string() is deprecated, but that is how I was taught. I'm trying to make an effort to change my method to be more appropriate for current trends.
Your question can be answered easily.
I hope you understand that whatever value have to be properly formatted to be put into SQL query. So prepared statement does. Unlike whatever *_escape_string, which does only partial formatting, prepared statement intended to do the full one. And right where it have to be done - not sooner, not later - so it makes it impossible to forget. That's the point.
You only need to understand the difference between formatting and escaping, which no professor ever understands.