Possible Duplicate:
Php PDO::bindParam data types.. how does it work?
Could someone explain - why is prepared statement more secure:
$stmt = $conn->prepare("INSERT INTO users (user, pass, salt)
VALUES (:user, :pass, :salt");
$stmt->bindParam(":user", $user);
$stmt->bindParam(":pass", $pass);
$stmt->bindParam(":salt", $salt);
$stmt->execute();
Insert query is firstly prepared with placeholders, then values is placed instead placeholders, but - where is that famous secure point
?