> Be careful with WordPress - it's database handler doesn't actually use > parameterized statements, it emulates them with printf - one (of many) > reasons I do not like the product. This is a rather controversial statement. There's nothing wrong with using sprintf when building sql queries. Besides "Using a prepared statement is not always the most efficient way of executing a statement. A prepared statement executed only once causes more client-server round-trips than a non-prepared statement."