I want to switch to mysqli_prepared statements but have a question before I start.
example 1
$query = $mysqli->prepare('SELECT * FROM users WHERE username = ?');
$query->bind_param('s', $_GET['username']);
$query->execute();
example 2
$query = $mysqli->prepare("SELECT * FROM users WHERE username = 'Rick' ");
$query->execute();
Is bind_param always necessary and why, for security reasons?