Definitely yes.
In fact, native prepared statements are only good for simple cases of school books.
So, you still have to write a few "hundreds of lines" for any difficult cases. I made a small collection of such cases in wiki PDO tags . The main disadvantages are
- no placeholders for identifiers. You must format and enter them manually, as in the old good mysql_ * code.
- no placeholders for arrays. This means that you still have to write the code manually and then enter it into the request - so there is still the opportunity to slip into some kind of problem.
Therefore, you need a higher level of abstraction, even with PDO. A common solution is to use a kind of Query Builder that every modern structure offers.
But personally, I hate query builders because they seem too bloated to me, pretending to replace all of SQL, but clearly can't handle it. So, I donโt understand why to use SQL written in PHP when I can use pure SQL. To do this, I created my own abstraction library to fix all the shortcomings of the native prepared statements, safeMysql . It has placeholders for everything you need, and thus makes requests much safer than PDOs, but makes application code much shorter.
So with safeMysql you really can "just literally write queries":
$sql = "SELECT * FROM articles WHERE id IN(?a) ORDER BY ?n LIMIT ?i" $data = $db->getAll($sql, $ids,$_GET['order'], $limit); $sql = "INSERT INTO stats SET pid=?i,ip=inet_aton(?s),?u ON DUPLICATE KEY UPDATE ?u"; $db->query($sql, $pid, $ip, $data, $data);
Just compare these 2 liners with the amount of code you will need to write using raw PDO.