Does Zend_DB / Doctrine protect me from SQL injection?

Does using prepared statements in Zend_DB or Doctrine protect me from sql injection?

example:

$stmt = $db->prepare('SELECT * FROM users WHERE name = ? AND password = ?');
$rs = $stmt->execute('peter', 'secret');

Or do I have to check strings and types types myself?

Another quickie: Which of the two is best? I only need the DB abstraction (w/ statements, procedures, and tra开发者_如何学Gonsactions).

Yes.

Prepared statements, whether done with Zend_Db, Doctrine or plain old mysqli, protect you from injection by separating the query structure from the data. This means that if you prepare a statement that selects users based on their name and password, no hacker will be able to provide data that turns that statement into a different one.

Just make sure that the query itself is a string constant.

As for your second question, Doctrine and Zend_Db have different approaches that fit different situations and different aesthetic preferences. There have already been several questions on the topic here.