Do I need to further process user input in prepared statements?

PDO documentation says:

“The parameters to prepared statements don’t need to be quoted; the driver automatically handles this.”

Is this really true and how safe is it?


Answer 1, authority 100%

Yes, it’s safe enough. If you pass parameters through $sth->execute(...), then quoting will be used as for a string, if there are some subtleties when passing, then use $sth->bindParam()– then it will be possible to specify how specifically to process the specified variable.