SQL Injections PDO Protect

Question

I have one question In my aplication all SQL Queries are with PDO. For Example Notes:

<?php
   include "config.php";
   $User_Check = $_SESSION['Login_User'];
   if ($_SERVER["REQUEST_METHOD"] == "POST") {  
     Notes = $_POST["Notes"];  
     try {
        $sql = $conn->prepare('UPDATE Accounts SET Notes = :Notes WHERE   Username  = :User_Check');
        $sql->execute(array('Notes' => $Notes, 'User_Check' => $User_Check));
        header('Location: home.php?Message=Uspesno');
     } catch(PDOException $e) {
        header('Location: home.php?Message=Greska');
     }
   }
   $sql = $conn->prepare('SELECT Notes FROM Accounts WHERE Username =   :User_Check');
   $sql->execute(array('User_Check' => $User_Check));
   $row = $sql->fetch(PDO::FETCH_ASSOC);
   $SelectNotes = $row['Notes'];
   conn = null;
?>

Now I wnat to know how much is this way secure? Can anyone do SQL Injection? And do I need to add some other form of protection? Thanks!

Answer 1

With PDO you don't need to escape string for prevent sql injection because prepare fx do this job.

So yes your requests are secure.

Answer 2

As long as the string passed to prepare() is static (i.e. does not contain any variables), you should be safe from SQL injections.

The important part is separating user input from your SQL statements, and you do that by having the SQL passed to prepare() and the user input to execute().

Similar question: How does a PreparedStatement avoid or prevent SQL injection?
(The question is tagged java, but neither the question nor the answer are specific to Java.)