Currently, I am developing my first website. Right now, I am implementing PHP’s MySQL extensions. From what I’ve been reading, however, using PHP’s PDO would be a much better way to go for several reasons such as the use of placeholders and so forth.

After going over some of the code, I am curious about a few things. As an example, say I create a connection and query as such:

$pdo = new PDO('mysql:host=localhost;dbname=something','root','abc');

$sql="select id from users where username = :username and password = :password";

$stmt = $pdo->prepare($sql);

$stmt->bindParam(":username",$_POST['username']);
$stmt->bindParam(":password",$_POST['password']);

$stmt->execute();

First, does $stmt->execute(); actually execute the entire query? And if so, why? If that is the case, my assumption would be that, in a way, it is inherently connected to the the prepared statements and therefore it is binded to the prepared sql statement.

Also, it is quite obvious that prepared statements are better protected against sql injection. My questions is at what point is user input sanitized within PDO. To explain, in the MySQL extensions, functions such as mysql_real_escape_string() had to be hardcoded when sanitizing.

If there are any other intricacies of using PDO that don’t exist when using MySQL extensions, I am curious to know.

Any feedback is appreciated.