[eluser]Unknown[/eluser]
I am new to CI and was looking at the PDO database driver with Version 2.1.0. I noticed it uses the PDO 'query' function and not 'prepare' and 'bindParam'/'bindValue'. I also noticed at the top of pdo_driver.php that it doesn't specify any escape characters like it does with other drivers.
Doesn't this completely miss the point of using PDO in the first place and in fact make it less protected from sql injection than using the normal mysql driver? Or am I completely misinterpreting something?
EDIT: I have noticed that it in fact does sanitization using PDO::quote, but why not use prepare and bindParam/bindValue as it is 100% safe? Also this comment in the code worried me as it isn't using prepared statements.
Quote:// the character used to excape - not necessary for PDO
