Ok, so I know you should use prepared statements to avoid injection attacks as well as for the huge speed improvements, but there is still one place that I find myself doing string manipulation to build my sql query.
Suppose I have a search feature that consists of six or seven or n dropdown lists. Based on whether there is a default value in each of those lists I want to append an item to my where clause. Is there a good way to do this with prepared statements where I can pass the parameters to a stored procedure and have it determine whether or not to include each particular where clause?