PDO: does prepare() escape all data, even if not bound?

Certain data types, I.E. numbers or a table name cannot be added as a parameter with PDO, as it adds single quotes around them.

When I add them (the variables) manually, say something like this:

  $statement = $dbh->prepare("INSERT INTO $TABLE_NAME (id, foo, timestamp) VALUES (1234, ?, 4567890))");
  $statement->execute(Array($foo));

My question is: Does prepare() escape or properly handle ALL data within? Or just data that is bound by execute /paramet开发者_如何学运维er bind? my variable placing directly into the prepare() statement is rare, but I really wish to know for security when writing these.

My question is: Does prepare() escape or properly handle ALL data within? Or just data that is binded by execute /parameter bind?

No. Only bound parameters are escaped.

Always bind parameters for all incoming data.

No, prepare only escapes data that uses placeholders.

No; AFAIK $-expansion is handled directly by PHP, and "foo $bar baz" is equivalent to "foo " . $bar . " baz".