I would like to know why MediaWiki is encoding SQL parameters instead of using prepared statements with placeholders.
I just know advantages on using prepared statements, like security from possible SQL injections, speed by having SQL statements preparsed and the code is easier to write and read.
Prepared statements using MySQL directly: http://devzone.zend.com/node/view/id/686 Prepared statements using MDB2: http://pear.php.net/manual/en/package.database.mdb2.intro-execute.php
Could you guys explain why not using prepared statements in MediaWiki code?