Is “filter input, escape output” still valid with PDO

Question

I\'ve read this before \"filter input, escape output\" but is filtering input really needed when I use PDO with PHP? I thought with PDO I don\'t need to filter input because

Answer 1

Yes, it is escaping input, but not immediately like magic_quotes_gpc. Magic quotes is an awful approach to security. Vulnerabilities are highly dependent on how the tainted data is being used, you can never have 1 function that fixes everything all of the time. Also during the flow of the application there may be a case when another function undermines magic_quotes, such as stripslashes(), base64_decode(), urldecode(), htmlspecialchars_decode($var,ENT_QUOTES); and even substr().

In short, you must always escape input at the time of use. pdo and adodb does this, and it does it perfectly.