Do I need to sanitize still using PDO?

For example, I have a FORM and it returns two variables. Do I still need to make them look like this?

 if (isset($_POST['submit'])) {
    $admin = trim(stripslashes($_POST['admin']));
    $password = trim(stripslashes($_POST['password']));

You should be using prepared statements. You should still sanitize the submitted data eg is is within the size/length range that you expect, is it of the type that you expect, etc

Also, never check if a form was posted by checking the submit buttons; this doesn’t work in some older versions of IE. Instead, check one of the [required] fields of the form, or even better, check that the request is a POST request

    // etc
1 Like

You are asking about two totally unrelated things.

Your question has the same relevance as asking if you still have to eat cheese if you wear a green shirt.

A better option would to check a hidden type if you want to ensure older versions of IE work:

<input type="hidden" name="action" value="enter"> <!-- Inside the form -->

$submit = filter_input(INPUT_POST, 'action', FILTER_SANITIZE_SPECIAL_CHARS);

if ( isset($submit) && $submit == 'enter') {
    // Process form:

Why is that better? Both suggestions I offered work perfectly well and don’t need any extra markup to work, whereas your solution does.

That comparison is sanitising the field - it is discarding all values from the field except “enter”. No further sanitisation is required for that field.