I have been using the following style code:
$query = "INSERT INTO contact_messages (fromEmail, message) VALUES (:fromEmail, :message)";
// Create bound values
$query_params = array(
':fromEmail' => $contactFrom,
':message' => $contactMessage
);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
$return['messageSent'] = true;
}
catch(PDOException $ex)
{
die
}
I thought that this was safe, but just seen i haven't specified that i am binding the parameters? or is what im doing still safe enough?
Also at this point, should I still be using e.g htmlPurifier on the input? or is the PDO bound parameters enough?