prepare is for external DB?
prepare is for EVERY database call. No exceptions. :)
For an example...
gobal $wpdb;
$post_id = $_POST ['id']; // Never trust user-submitted values!
$query = $wpdb->prepare( "SELECT ID, post_title from " . $wpdb->posts ." WHERE ID = %d", $post_id );
$result = $wpdb->get_row( $query );For more information on how to use this, read on here:
https://codex.wordpress.org/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injection_Attacks