Usually, when getting input from users through a form you should use the prepared statement to prevent SQL injection binding is not compulsory however it can allow you to apply stricter conditions. When getting input from URL query string and the intention is to use that to retrieve data from the database you can simply use the query method which is both prepared and execute in one statement.
You can check the PDO course too - https://devscreencast.com/courses/learn-and-understand-php-data-objects-pdo,
My "Solved" answer was for another question, but mistakenly posted here. Please provide some feedback to my original question:
When is it OK to use PDO operations without parameter binding? If we're not dealing with sensitive information? When there is no user input or passing of data through POST/GET?
When MUST we use parameter binding - only when there is user input? Or?
I am still not that familiar with SQL injection and hacking methods.
Actually, you could just use the query method which will essentially prepare and execute the query at the same time
$result = $db->query();
Solved. Seems like the previous fetch required a DESC order command: