I appreciate the ability to build queries in code, you code is very usefull, but lacking. This code is currently unsuitable for exposure to an internet facing server. Even though you excape your string, I could still give your the variable like... $safe_escaped = '1 UNION SELECT password FROM users. Or use crazy combinations of concat, char, hex, and undex to manually write out my command without your escaped slashes.
per - 2014-02-24 19:05:25 - In reply to message 2 from Carlo Pietrobattista
Your right, I missed the line: $this->_query->bindValue( $pos , $value , $type );
and got thrown off by the line: $query = 'INSERT INTO ' . $this->_table . ' (' . $fields . ') VALUES (' . $values . ')';
This be because i belive the variable $values contained the values, but rather it contains to bound variable name ie.. (:1, :2, :3).
I will re-rate this code. For I believe it to be secure.