PDO准备好的语句是否足以防止SQL注入？ - Are PDO prepared statements sufficient to prevent SQL injection?

钉钉、微博极速扩容黑科技，点击观看阿里云弹性计算年度发布会！>>>

问题：

Let's say I have code like this: 假设我有这样的代码：

$dbh = new PDO("blahblah");

$stmt = $dbh->prepare('SELECT * FROM users where username = :username');
$stmt->execute( array(':username' => $_REQUEST['username']) );

The PDO documentation says: PDO文档说：

The parameters to prepared statements don't need to be quoted; 准备好的语句的参数不需要用引号引起来。 the driver handles it for you. 司机为您处理。

Is that truly all I need to do to avoid SQL injections? 那真的是我避免SQL注入所需要做的一切吗？ Is it really that easy? 真的那么容易吗？

You can assume MySQL if it makes a difference. 您可以假设MySQL会有所作为。 Also, I'm really only curious about the use of prepared statements against SQL injection. 另外，我真的只是对针对SQL注入使用准备好的语句感到好奇。 In this context, I don't care about XSS or other possible vulnerabilities. 在这种情况下，我不在乎XSS或其他可能的漏洞。

解决方案：