phpnewbie34;11028933 wrote:I've heard from somebody else that using PDO is superior to mysqli prepared statements by means of being faster and easier to write
As for the "faster", intuition would lead me to believe that the opposite is true (PDO is, after all, an abstraction layer whereas MySQLi is clearly a lot more specialized). I doubt the difference is really that significant one way or the other, though. (In other words, the decision to use PDO over MySQLi solely based on which one executes faster is probably shortsighted in scope and isn't even the best place to invest time improving efficiency.)
As for "easier to write," that, to me, is dangerously close to saying that green is the best color because it's my favorite. (In other words, look at the coding examples in the manual and form your own subjective opinion rather than relying on anyone else's.)
If you're in the market for subjective opinions, here's mine: Prepared statements are at best overkill (at worst: a waste) for SQL queries you don't plan on executing more than once.
phpnewbie34;11028933 wrote:II am now looking to transfer my Msqli code into PDO it is more secure
Again, that's not a good reason to change. In fact, it's not even a correct reason; PDO is no more or less secure than MySQLi or even the old mysql extension. If you don't know how to properly sanitize the necessary data or properly use parameters in prepared queries, you'll be able to write software that contains vulnerabilities no matter which API you choose.
phpnewbie34;11028933 wrote:This is what I'm trying to convert now:
$query = mysqli_query($con,"SELECT * FROM pixs WHERE title LIKE '%$keyword%' OR Description LIKE '%$keyword%'");
Do you have suggestions?
Assuming $keyword wasn't previously escaped, replace both instances of:
$keyword
with:
" . mysqli_real_escape_string($con, $keyword) . "
and the code will be "secure" as far as protecting against SQL injections/errors goes.
Otherwise, you'll have to be more specific as to what you're trying to convert that code snippet into. As sneakyimp points out, the manual pages for MySQLi and PDO functions/methods that execute queries or create prepared statements all contain code examples that augment the documentation of all of their parameters. For example, you could compare the code examples on the manual pages [man]mysqli.prepare[/man] and [man]pdo.prepare[/man] to get a rough idea of the code you'd be writing if you chose one API over the other.