PDO documentation says:
“The parameters to prepared statements don’t need to be quoted; the driver automatically handles this.”
Is this really true and how safe is it?
Answer 1, authority 100%
Yes, it’s safe enough. If you pass parameters through
$sth->execute(...), then quoting will be used as for a string, if there are some subtleties when passing, then use
$sth->bindParam()– then it will be possible to specify how specifically to process the specified variable.