I've been looking through the Zend_Db documentation, and I'm wondering why you would ever want to use quoteInto() or quote() as opposed to binding your parameters in an array. What's the advantage to quoteInto()/quote()? Isn't the separation of data provided by bound parameters always going to be more secure than attempting to manipulate the strings? As I understand it, all statements are prepared anyhow, so why not use more bound parameters?
For example, wouldn't bound parameters always avoid bizarre problems like unicode SQL injections [http://bugs.mysql.com/bug.php?id=22243], whereas with quote/quoteInto you're trusting the string parse to get it right? I'm curious because it looks like relatively few methods (none?) in Zend_Db_Table support bound parameters. To use binding, I need to go to the adapter every time, which makes my Zend_Db_Table class somewhat less convenient. I'm new to ZF, so maybe I'm just missing something really obvious here. I'd appreciate it if anyone could provide some insight. Thanks, - Ryan
