是否可以对此代码执行SQL注入攻击？

Question

function addUser($username, $first_name, $last_name, $email, $pw, $type) {
include $_SERVER['DOCUMENT_ROOT'] . '/connection_library/connection_library.php';
$insertRow = NULL;
$connection = connectUserLogfiles();
try {
    $sql = "INSERT INTO user_list (username, first_name, last_name, email, password, type) "
            . "VALUES (:username, :first_name, :last_name, :email, :pw, :type)";
    $stmt = $connection->prepare($sql);
    $stmt->bindParam(':username', $username, PDO::PARAM_STR);
    $stmt->bindParam(':first_name', $first_name, PDO::PARAM_STR);
    $stmt->bindParam(':last_name', $last_name, PDO::PARAM_STR);
    $stmt->bindParam(':email', $email, PDO::PARAM_STR);
    $stmt->bindParam(':pw', $pw, PDO::PARAM_STR);
    $stmt->bindParam(':type', $type, PDO::PARAM_STR);
    $worked = $stmt->execute();
    $stmt->rowCount();
    $stmt->closeCursor();
} catch (Exception $ex) {
    return FALSE;
}
return $worked;
}

I have heard that using bindParam will prevent SQL injection attacks. Is this true? Is there a way to execute SQL injection attacks on this code? Assuming I perform no filtering or sanitizing on the parameters (with the exception being the password, which has been encrypted with a strong one way encryption scheme), how would you perform a SQL injection attack?

The database is a MySQL database, and the user being used in the connectionUserLogfiles() function only has SELECT, INSERT and UPDATE privileges.

Answer 1

I have heard that using bindParam will prevent SQL injection attacks. Is this true?

Yes , provided that you disable emulated prepares (they're enabled by default) and your database driver isn't stupid.