This is a concept query question. Prepared statements protect the query from sql injection.
$sth = $dbh->prepare('SELECT name, colour, calories FROM fruit
WHERE calories < :calories AND colour = :colour');
$sth->bindParam(':calories', $calories);
$sth->bindParam(':colour', $colour);
$sth->execute();
But if you don't use external values, you don't need to use prepared statements, that's why Query() is used .
$sth = $dbh->query('SELECT name, colour FROM fruit
WHERE calories < 50');
But isn't it better to use execute() also in unprepared statements instead of query() ?
The sentences must be prepared before being processed, because in a production environment they will respond to the interactivity of the user; that is, a select, insert, update or delete will depend on the variables that the user sends:
For the above case, the system response will depend on the information sent by the user.
The fact is not that it is as such an opinion of whether it is better or not, but rather because the statements must not only respond to op with the database, but also protect the user who is using them to avoid SQL injection attacks
I advise you to keep in mind that you not only have execute() or bindParam present but also:
So that with the above when doing bindParam the type of value that is being passed is identified