WIth PHP 5.6 and PDO is there any need for escaping characters?

Question

I use PDO to read/enter MySQL data in order to prevent SQL-Injection

$stmt = $DBH->prepare("SELECT * FROM T_Users WHERE User_Name = :UN");
$stmt->bindParam(':UN', $user_name);
$stmt->execute(); 

Are there any reasons I should be escaping characters before entering them in the database or before displaying the data from the database in the browser? Can malicious people exploit my website or other users by perhaps recording JavaScript code to my database?

Thanks!

Answer 1

The ->prepare(); method, along with bindParam()does everything for you, so there's no need to do anything else.

When you bind a param to the prepared statement variable, it puts the raw data in rather than adding it to the query like the old ways of doing it! :)

Answer 2

You should certainly not escape the arguments you pass for binding parameters.

There is no escaping happening at all. It is the SQL engine that compiles the statement with place-holders, and receives the parameter values separately, unescaped, later. It is the capability of the SQL engine to combine the compiled statement (there is no more SQL string at this point) and the parameter values that ensures that the whole problem of SQL injection has become irrelevant.

Escaping values that you pass for binding place holders would have a negative effect. The SQL engine really needs the values as they are, and if they are escaped in some way, the engine will not unescape them, but take them literally.