Prepared statements and second order SQL injections

Question

I have read somewhere here that using prepared statements in PDO makes your app only immune to first order SQL injections, but not totally immune to second order injections.

Answer 1

What you have read is a plain rubbish. Someone who wrote it just have no clue.

You should use prepared statements not for the query but for the data. Every time you have to add a variable into query, you have to make it via placeholder only. So, your query separation theory makes no sense: it doesn't matter if it SELECT or ALTER or GRANT or whatever. The only thing that matters - if any variable goes into query or not.