Generally the question marks are to prevent SQL injections. One would need to be extremely careful when doing

$

string formatting of SQL queries.