In BenWalker’s example, also note that no user input is used to write the query itself.
The one thing that should be added is the charset
parameter in the DSN:
$dsn = 'mysql:dbname=testdb;host=127.0.0.1;charset=utf8';
Likewise, your database should use utf-8 for its encoding.
But, take a broader view: you should be aware that SQL injection is not the only security vulnerability out there. It all comes down to one, simple rule:
Never Trust the User.
Most users are trustworthy, but some are not. Even trustworthy users may make mistakes, or fall victim to man-in-the-middle attacks, and so forth.
You must never use any data you get from the user, for any purpose, without first validating that it is the data you expect, and sanitizing it for the specific purpose you use it for.
Some good resources: