Prepared statements and second order SQL injections

Question

I have read somewhere here that using prepared statements in PDO makes your app only immune to first order SQL injections, but not totally immune to second order injections.

Answer 1

Since most people sermonize “the user is evil” and “don’t trust user input”, one may get the impression that once the data is in the database it’s ‘trusted’.

But SQL injections is not about trusted and untrusted data. SQL injection is the failure of ensuring that an SQL statement is interpreted as intended.

And this is where prepared statements/parameterization comes in play as it’s a technique to ensure that the parameters are interpreted as intended, i. e., as data and not as SQL code. And this should be applied to any data, regardless of its origin or whether it’s seen as ‘trusted’ or ‘untrusted’, simply to ensure the data is interpreted as intended.

Answer 2

What you have read is a plain rubbish. Someone who wrote it just have no clue.

You should use prepared statements not for the query but for the data. Every time you have to add a variable into query, you have to make it via placeholder only. So, your query separation theory makes no sense: it doesn't matter if it SELECT or ALTER or GRANT or whatever. The only thing that matters - if any variable goes into query or not.