PDO PHP insert into DB from an associative array

Question

I have an array like this

  $a = array( \'phone\' => 111111111, \'image\' => \"sadasdasd43eadasdad\" );

When I do a var-dump I get th

Answer 1

SQL query parameters can be used only where you would otherwise put a literal value.

So if you could see yourself putting a quoted string literal, date literal, or numeric literal in that position in the query, you can use a parameter.

You can't use a parameter for a column name, a table name, a lists of values, an SQL keyword, or any other expressions or syntax.

For those cases, you still have to interpolate content into the SQL string, so you have some risk of SQL injection. The way to protect against that is with whitelisting the column names, and rejecting any input that doesn't match the whitelist.