PDO prepare statements: Do we need to escape?

Question

public function receiveDomainNames($keyword)
{
  try
  {
    $stmt = $this->_dbh->prepare("SELECT d.someField FROM domain d WHERE d.someField LIKE :keyword");
    $someField = '%'.$keyword.'%';

Do we need to escape $keyword on this case?

On php manual we can read:

If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible).

Is this the case on your opinion, are, on this case, build up unescaped input (no prior treatment has been made to our $keyword parameter) ?

Thanks in advance, MEM

Answer 1

If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible).

I'd figure variables you create shouldn't have to be escaped because you know what they're doing.

Only escape content gotten from the user, such as $_COOKIE, $_POST, $_GET and other parameters such as the URL.

Answer 2

Given the above SQL statement, I see no rational possibility of a SQL injection.

What the warning about "other parts" would be a SQL query like:

$binds = array(":id"=>$_GET['id']);
$myPDO->prepare("SELECT {$_GET['columns']} FROM {$_GET{['table']} WHERE id = :id");
$statement = $myPDO->execute($binds);

The example is a worst case/explicit example of what they mean, that naively someone might think since they're escaping the where argument, that everything is safe.

With your example above, there is no un-escaped input so you're safe.