Here's a guide about when and how to use prepared statements.
Why bother with prepared statements?
The first reason to use a prepared statement is to protect against SQL injections.
You can do this by removing all special characters, but there are times when that's not practical. (Example: you want to allow users who have apostrophes in their names to register for your website.) You can do it by escaping all of the strings that you pass into the SQL query, but it's easy to forget to sanitize a single field.
So how do you protect against SQL injection? Here is the simple way to never fall prey to SQL injection: never put a user-provided string into an SQL query, except as a parameter to a prepared statement.