Possible Duplicate:
How to prevent SQL injection in PHP?
I use PDO prepared statements to prevent MySQL injection, but should I be doing anything more to sanitize user input? The user will only be shown his own input and the input of others he "friends." Is there anything else I need to do to sanitize input?
I don't think that magic quotes are enabled, and I can't think of any other way a user could mess with my site, but I am new to this so I am not sure.
Thanks in advance!
If you're using prepared statements, then you shouldn't have any issue with MySQL injection.
If an application exclusively uses prepared statements, the developer can be sure that no SQL injection will occur (however, if other portions of the query are being built up with unescaped input, SQL injection is still possible).
You might consider sanitizing your output, however, like only displaying certain HTML tags (if any at all), to avoid issues with someone messing with the site's layout or, worse, executing arbitrary JavaScript.