i kept reading on sql injections after answering a guy on the subject and end up on this page: http://php.net/manual/en/pdo.prepared-statements.php

which i think is great for optimisation and i will probably apply on this portal im working on, but ...
what do you guys think about this prebuild template like versus sql injections ?
would you trust this prepared statement for security or you will still apply some security measures?

thx for your input

Hey, throwing this out there.

(I spend my time researching/developing Speech Algorithms so don't code much in PHP anymore) but I read an article that said that PDO removes the risk of SQL injections.. So probabily. There's a lot of debate to whether PDO or MYSQLI is more efficient etc.. :)

It reduces risk. Always validate your inputs. Don't blindly inject a value, even if you are binding it. It may be the wrong type and you end up with unexpected results.

I agree with pritaeas, when it comes to security the more "layers" you can have the more secure you will be. While PDO helps to mitigate risk, there will always be unexpected input or ways discovered to circumvent that particular security check. For proper risk management I would alwyas verify user input against what it should be before sending it to be actioned.