Does pg_prepare() prepared statement (not PDO) prevent SQL-Injection?

Question

PDO ist not supported in target system I\'m working on and though I seek a solution for preventing SQL-Injection using PHP 5.1.x on a

Answer 1

Using prepared statements is generally the best way to go, since you should also get better SQL performance from database optimisations that can be skipped.

However it is always good to know alternative ways of doing things, so bear in mind you can use pg_escape_string() on your tainted variables and then use the outputs directly in a SQL query.