Are parameterized queries in PDO necessary for request variables?

Question

I understand that parameterized queries are essential when user-submitted data is on the prowl, however my question is whether this applies to user-TAMPERABLE data?

So i

Answer 1

Why wouldn't you use prepared statements / paramaterised queries for all situations where there is external/variable input?

The only queries you can trust are those where every element is hardcoded, or derived from hardcoded elements within your application.

Do not even trust data that you have pulled from your own database. This counts as external / variable data. A sophisticated attack can use more vectors than a simple "modifying a query string parameter".

I think for the tiny amount of extra code overhead, it is completely worth the peace of mind you will get from knowing your queries are protected.