Are parameterized queries in PDO necessary for request variables?

Question

I understand that parameterized queries are essential when user-submitted data is on the prowl, however my question is whether this applies to user-TAMPERABLE data?

So i

Answer 1

Url encoding would not remove the threat.

Anything that is touchable by the user should be treated as unsafe and a potential threat. You query by id as such not validating it and just shoving it straight into a query can still cause the same injection problems as not using PDO at all.