Hector Martin

Well the page says "basic examples", and usually the first thing you learn with DB connections with PHP is just to feed queries to it, and then take care of the security. They have examples for prepared statements tho, and they are in the quickstart guide http://php.net/manual/en/mysqli.quickstart.prepared-statements.php …

No, no, no, no, no. You **never** teach people the wrong way to begin with. Teaching the insecure way of doing things first is a *terrible* idea. If they just want to demonstrate a simple query first then it should be a constant one with no variable interpolation.

I totally agree, but for someone that has been programming PHP for little time it may feel overwhelming to construct a query instead of operating with the DB the same way they do on console/DB client/whatever they use to send queries.

If you have no prior experience with programming at all, then it's pretty likely that you've never used a command-line client to send an SQL query either; so a "this is the shape of the query, these are the values" model is *more* intuitive than gluing it all together.

Unless you are in a job training course and you have many subjects. We started learning c#, html, css, javascript and databases first year, and we were looking into server side stuff (mainly PHP) second year. So in my case, yeah, we learnt SQL before any kind of severside tech.

Then whoever was teaching the SQL course should have started out by telling you that there are roughly two ways to create a query, for manual vs. automated queries; literal queries vs. parameterized queries.

(Also, that is a basically impossible workload to learn right within a year. But that's a different discussion.)