Does pg_prepare() prepared statement (not PDO) prevent SQL-Injection?

Question

PDO ist not supported in target system I\'m working on and though I seek a solution for preventing SQL-Injection using PHP 5.1.x on a

Answer 1

A prepared statement is safe from SQL injection because nobody can change the queryplan after it's prepared. But, if your statement is already compromised, you still suffer from SQL injection: