Are parameterized queries in PDO necessary for request variables?

Question

I understand that parameterized queries are essential when user-submitted data is on the prowl, however my question is whether this applies to user-TAMPERABLE data?

So i

Answer 1

Url encoding would not remove the threat.

Anything that is touchable by the user should be treated as unsafe and a potential threat. You query by id as such not validating it and just shoving it straight into a query can still cause the same injection problems as not using PDO at all.

Answer 2

Why wouldn't you use prepared statements / paramaterised queries for all situations where there is external/variable input?

The only queries you can trust are those where every element is hardcoded, or derived from hardcoded elements within your application.

Do not even trust data that you have pulled from your own database. This counts as external / variable data. A sophisticated attack can use more vectors than a simple "modifying a query string parameter".

I think for the tiny amount of extra code overhead, it is completely worth the peace of mind you will get from knowing your queries are protected.