SQL injection protection in select script?

Question

I am learning about sql injections and wondering if this specific script is susceptible. It is only a "Select" script which does have a "execute" command.

<?php
$dude = $_GET["va"];

$aj = "blocked";
$bj = "blocked";
$username_Database = "blocked";
$password_Database = "blocked";
$dbh = new PDO("mysql:host=$aj;dbname=$bj", $username_Database, $password_Database);
$sql = 'SELECT her, fac FROM servercheck WHERE man = ?';
$q = $dbh->prepare( $sql );
$params = array( $dude);
$q->execute( $params );
$doc = new DOMDocument();
$r = $doc->createElement("himm" );
$doc->appendChild( $r );
foreach ( $q->fetchAll() as $row) {
   $e = $doc->createElement( "himm" );
    $e->setAttribute( 'her', $row['her'] );
 $e->setAttribute( 'fa', $row['fac'] );
    $r->appendChild( $e );      
}
print $doc->saveXML();
?>

Answer 1

You're using PDO prepared statements. Avoiding SQL injection is one of the main purposes for their use. Your code is good.