Let's say I have code like this:\[code\]$dbh = new PDO("blahblah");$stmt = $dbh->prepare('SELECT * FROM users where username = :username');$stmt->execute( array(':username' => $_REQUEST['username']) );\[/code\]The PDO documentation says\[quote\] \[quote\] The parameters to prepared statements don't need to be quoted; the driver handles it for you. \[/quote\] \[/quote\] Is that truly all I need to do to avoid SQL injections? Is it really that easy?You can assume MySQL if it makes a difference. Also, I'm really only curious about the use of prepared statements against SQL injection. In this context, I don't care about XSS or other possible vulnerabilities.