Where is your Execute statement being called? Is this also inside your ->query ? If not think of using the following for also a better query build up.:
getMessage();
}
$statement = "SELECT user, captcha FROM xf_captcha WHERE user=:username";
//If you have query as a method(Which I don't think so but if you can change "prepare" to your "query"
$sth = $dbh->prepare($statement);
$sth->execute(array(":username" => $username));
$row = $sth->fetch(PDO::FETCH_ASSOC);
?>
In the execute parentheses you can use an array to fill the parameter :username for the variable $username
I think looking into PDO Class examples might also be good for a better understanding of PDO and methods(You can also refer to the PHP PDO Manual)
