1
Below I have an excerpt of code adapted to illustrate this question:
<?php
$params = [
    ':codUser'     => $_SESSION['data-user']['codigo'],
    ':codCarrinho' => $codCarrinho,
    ':codPremio'   => $codPremio,
    ':quantidade'  => $quantidade,
    ':subtotal'    => $subtotal
];
$query = 'Call addItemCarrinho(:codUser, :codCarrinho, :codPremio, :quantidade, :subtotal)';
$preparedQuery = self::getConn()->prepare($query);
foreach ($params as $key => $value) {
    $preparedQuery->bindValue($key, $value);
}
$preparedQuery->execute();
$result = $preparedQuery->fetchAll(PDO::FETCH_OBJ);
?>
This is the way I currently use it. But I have been researching and reading some articles that say it is not necessary to use the prepare in Procedures. But for fear I keep using. My question is whether it is possible to use SQL injection in anticipation?
Just in case, you should use prepare(). I believe that sql Injection is complicated and depends a lot on the poor implementation of the process. better prevent.
– Rodrigo Jarouche
Yeah! I always get a kick out of it!
– alan