PDO security and html special chars?

Does PDO by default use html spe开发者_如何学运维cial chars? Or even better can I turn it on or off using php, I cannot find any documentation on whether this is possible or not?

Just to clarify, if using prepared statements I am nearly invincible to injection?

Does PDO by default use html special chars?

No; PDO is a database library, and hence doesn't care about HTML. If you're displaying data from your database in a web page, you still need to HTML-escape it for display.

Just to clarify, if using prepared statements I am nearly invincible to injection?

As long as you don't interpolate values directly into your queries, then yes -- you are not vulnerable to SQL injection.