Is “filter input, escape output” still valid with PDO

Question

I\'ve read this before \"filter input, escape output\" but is filtering input really needed when I use PDO with PHP? I thought with PDO I don\'t need to filter input because

Answer 1

Depending on what the data you're saving is, yes it can still be valid.

For example, let's say you have a comment box and a user writes a message containing HTML markup. In this case you would often want to remove the said HTML markup from the comment text, even if it ended up being escaped (afterall, it probably won't look very nice).

There are other cases too, like if you have a phone number field, you might want to filter it so it's in the specific format your application uses and so on.