Is it safe or not to use a POST var as below:
$stmt->bindParam(':'.$_POST[$field],$val);
or I need to check POST vars before?
Is it safe or not to use a POST var as below:
$stmt->bindParam(':'.$_POST[$field],$val);
or I need to check POST vars before?
You should use $_POST variables as the value, not the parameter name.
The $_POST variable could contain spaces or other characters that are not valid parts of a parameter name. I'm concerned that if you are doing what you show, that you have formed an SQL query like this:
$sql = "SELECT * FROM mytable WHERE mycolumn = :" . $_POST[$field];
Which is definitely not safe.
And there's no reason for the parameter names to be set to user input like that. Parameter names should be fixed by you, the programmer:
$sql = "SELECT * FROM mytable WHERE mycolumn = :myparam";
Then you bind using the same name. By the way, as long as you're using a reasonably recent version of PHP, you don't need the colon prefix in the bind call. You only need it in the SQL.
$stmt->bindParam("myparam", $_POST[$field]);