Use both PDO prepared statemnts and filter_var?

Question

Hey guys, I'm learning OO PHP, and have been looking into PDO -- One thing I'm not clear on though is whether I should be using PDO prepared statements in conjunction with the filter_var() function or just by themselves. For instance, should I be doing

$query = $database->connection->prepare("SELECT name FROM acounts WHERE id = :id LIMIT 1");
$query->bindParam(":id", $this->id, PDO::PARAM_INT);

or something like this?

$id = filter_var($this->id, FILTER_VALIDATE_INT);
$query = $database->connection->prepare("SELECT name FROM acounts WHERE id = :id LIMIT 1");
$query->bindParam(":id", $id, PDO::PARAM_INT);

Answer 1

Generally speaking it's different tasks.
You can validate your data as you wish.
But PDO itself do not need any validations.

For the code you provided, using filter_var() is unnecessary, as bindParam with PDO::PARAM_INT flag will do the same job

Answer 2

The parameterized query is sufficient here. You already got your ->$id from a local variable. And the PDO method is perfectly fine for securing against database exploits.

You have to differentiate on where you got the $id from in the first place. Use filter_var wherever you import user/http input. Don't use it for security purposes only, but with the goal to retrieve user data in the right format.