PHP+PDO - prepared statement info

Question

Even after a lot of reading, I didn't get one thing. Is PDO escaping data IF I am NOT using bindValue or bindParam ? Maybe I didn't understand what "prepare" exactly does. I know it's storing a procedure as an object. I know it's performance benefits (even used it with transactions) but escaping is the only thing I didn't understand

Suppose this:

$db = new PDO('mysql:host=' . $config['db']['host'] . ';dbname=' . $config['db']['dbname'], $config['db']['username'], $config['db']['password'], $config['db']['options']);

$query = $db->prepare("INSERT INTO table (col1, col2) VALUES (:col1, :col2)");

$result = $query->execute(array('col1' => $val_col1, 'col2' => $val_col2));

Where/when is the actual escape being done ? While preparing or while binding a param/value ? What if I'm skipping this:

$query->bindParam(":col1", $val_col1);
$query->bindParam(":col2", $val_col2);

Note that I have PDO::ATTR_EMULATE_PREPARES set to false (it's set in $config array)

Using PHP 5.4.13 and MySQL 5.1.67

Answer 1

Passing an array into execute() is just a syntax sugar for the series of bindValues performed then internally. So,

Is PDO escaping data IF I am NOT using bindValue or bindParam ?

Yes, as long as you have your data substituted with placeholders.

I know it's performance benefits

There are no performance benefits

Where/when is the actual escape being done? While preparing...

• It cannot be done while preparing, if you think it over a bit. There is no data to "escape" yet.
• "Escaping" is not that you think it is. "Formatting" is a more correct term. PDO does format every value from the passed array as a string.
• Formatting is done before execution when emulation mode is on and never when off