A reasonable level of security vs. sql injection?

Question

I'm getting ready to launch a site - the first one that I coded from the ground up. It's going to be low traffic, and low-profile (probably won't get spidered by search engines.) I'm using PEAR's DB library and its query() method's placeholders to store user data, as follows:

<?php
require_once('db.inc');
$firstname = $_POST['firstname']; 
$lastname = $_POST['lastname'];
$rsvp = $_POST['rsvp'];
$mail = $_POST['email'];
$phone = $_POST['phone'];
$lodging = $_POST['lodging'];
$extra = $_POST['extra'];
$msg = $_POST['msg'];
$password = $_POST['password'];
$id = $_POST['id'];
$username = $firstname . ' ' . $lastname;

if (isset($id)) {
  $sql = $conn->query("UPDATE guest SET username = ?, mail = ?, phone = ?, lodging = ?, extra = ?, msg = ?, role = ?, password = ?, mailed = ? WHERE id = ?", array($username, $mail, $phone, $lodging,$extra, $msg, 2, $password, 0, $id)); //TODO!! set mailed to 1 in production
  } else {
  $sql = $conn->query('INSERT INTO guest (username, password, rsvpstatus, role, mail, phone, lodging, extra, msg, mailed)VALUES (?,?,?,?,?,?,?,?)', array($username, $password, $rsvp,  2, $mail, $phone, $lodging, $extra, $msg, 1));
  }

 header('location:main.php');

Does this seem like a reasonable level of protection vs sql injection?

Answer 1

Placeholders and binding like you are doing are exactly the defense against sql injection. As long as you never directly interpolate any user input into the sql, you're fine.

Answer 2

You can use the mysql_real_escape_string function in PHP ( view function in php.net )

Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query()

Example:

$secure_firstname = mysql_real_escape_string( $_POST['firstname'] );
$secure_lastname = mysql_real_escape_string( $_POST['lastname'] );

Answer 3

So long as that library quotes and escapes all of its arguments, it will be fine.