On the PDO::Prepare page it states,
\"and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters\"
Yes and no: