This goes against everything I've been taught. I've always thought you should always use prepared statements for security. While it's possible to make sure you escape well, your best to rely on prepared statements doing that for you.

But is this guy correct? Is the performance hit a big enough problem?