Interestingly, that everyone who managed to answer here so far, failed to use PDO properly, keeping it as essentially insecure as with old mysql ext.
So, your first and foremost problem is a proper usage of the PDO prepared statements.
Whatever way you choose, you’ll have to run all your queries the way shown below:
$sql= "SELECT DISTINCT city FROM ZipCodes WHERE state = ? ORDER BY city";
$stmt = $pdo->prepare($sql);
$stmt->execute([$state]);
return $stmt->fetchAll();
As of the problem with PDO access, I have a solution written especially for the late mysql users, which makes PDO usage as simple as old mysql_query, yet with full power and security of PDO - Simple yet efficient PDO wrapper. With it your code will be as smooth as
function getCities($state) {
$sql= "SELECT DISTINCT city FROM ZipCodes WHERE state = ? ORDER BY city";
return DB::run($sql, [$state])->fetchAll();
}