Does using prepared statements in Zend_DB or Doctrine protect me from sql injection?
example:
$stmt = $db->prepare('SELECT * FROM users WHERE name = ? AND password = ?');
$rs = $stmt->execute('peter', 'secret');
Or do I have to check strings and types types myself?
Another quickie: Which of the two is best? I only need the DB abstraction (w/ statements, procedures, and transactions).
Yes.
Prepared statements, whether done with Zend_Db, Doctrine or plain old mysqli, protect you from injection by separating the query structure from the data. This means that if you prepare a statement that selects users based on their name and password, no hacker will be able to provide data that turns that statement into a different one.
Just make sure that the query itself is a string constant.
As for your second question, Doctrine and Zend_Db have different approaches that fit different situations and different aesthetic preferences. There have already been several questions on the topic here.