Almost all amateur PHP and MySQL projects have SQL injection vulnerability. However, thanks to PDO’s binding feature, variable values in the query are included externally and escape characters are added. In this way, we are free from this simple gap. We can run the following query without fear.
<?php $post = DB::query('SELECT * FROM posts WHERE id = ?', array($_GET['id'])); ?>