You should use it where possible, since it greatly reduces the (error prone) task to keep track of which variables contain "trusted" data, and which doesn't. | [reply] |
You should use placeholders, but there are times when placeholders aren't a suitable replacement for escaping the string ... however, those tend to be risky security wise.
Placeholders only work with values for fields ... if you're trying to do something like allowing the user to select an arbitrary table or field, you'll have to escape the value. I don't know if it's true for all versions, but from what I recall, even setting a LIMIT couldn't be done with a placeholder in older version. In these sorts of cases, I typically abort entirely if values aren't composed of only known good characters ([a-zA-Z0-9_] for fields/tables, [0-9] for limits, etc) ... but it's best to avoid the issues as best you can.
| [reply] [d/l] [select] |