I've had a good read with this question mysqli or PDO - what are the pros and cons?. But I think it's a bit dated. Are prepared statements still the best solution against injections?
I'm going to create a new php interface to access my mysql database so I want to get it right from the start.
Also doesn't pdo slow your query's down a lot?