This is still binding the values to a prepared statement. You are doing the same thing as if you were using the bindParam
function. So the answer is yes it is just as safe. bindParam
just allows for more functionality than simply binding with the execute
function for example:
$sth=$dbh->prepare("Select * from users where status=:v1");
$sth->bindParam(':v1',1,PDO::PARAM_INT);
$sth->execute();
This allows you to specify the data_type
by default with execute
everything is sent as a string. Also you can look at the answer to this similar question: PDO bindParam vs. execute