oder geht es besser, einfacher, sicherer

Prepared Statements:

$pdo = new PDO(...);
$qry = $pdo->prepare('SELECT foo FROM bar WHERE name = ?');
$qry->execute([$_GET['name']]);
$foos = $qry->fetchAll();