On the Kohana prepared statement documentation it states
Although all parameters are escaped to prevent SQL injection, it is still a good idea to validate/sanitize your input.
From what I read on prepared statements, I was under the impression that binding parameters prevented SQL injection. If this is not the case, what sanitization/escaping method should I be using before binding the variables?
………………………….
I think when they say “it is still a good idea to validate/sanitize”, they mean to use Valid class or/and Validation class… To make sure you get the right data inserted in your DB.
More info on Validation in Kohana: http://kohanaframework.org/3.2/guide/kohana/security/validation
UPDATE:
You should also look into XSS: http://kohanaframework.org/3.2/guide/kohana/security/xss
………………………….
Kohana provides a db abstraction to different database types. Not all concrete databases might have prepared statements so they will get simulated. Some native escaping functions for specific databases might even be broken.
As you never know, it’s always good to not only have one layer of security.
Another layer is that your script actually receives data that makes sense. E.g. a first-name string that is 8 megabyte large for example. Won’t make sense regardless what the database is doing with it.