Prepared statements are good to prevent sql injection when the user supplies data and we use that data for db insertion or just even to structure the query. But is really any benefit to PDO when I'm retrieving previously-inserted user-supplied data from the database?
It sounds to me like the answer is no. It's already in. As long as the query itself that retrieves it isn't tarnished by user-supplied parameters (e.g. select * from table is not tarnished by user-supplied data), it's ok to use anything even not PDO, even if the data itself being retrieved was at one point in the past user-supplied data. Any input on this?
My guess is that once people start using PDO in their code, it becomes a matter of uniformity to keep using it for all pieces of their code and never go back to normal mysql (even if something is slightly harder with PDO).