I use a similar algorithm but only with authenticated users (like an admin) and never with public facing pages... NEVER TRUST un-authenticated input. That said, here is how I programmatically create the binder for the placeholders.
try {
$stmt = $DB->prepare($query);
if ($bind!=null) {
$cnt = count($bind);
if ($cnt>1) { //mulitple binders
$t=1;
for($i=0;$i<$cnt;$i++) {
$stmt->bindParam($t,$bind[$i]);
$t++;
}
} else { //single binder
$stmt->bindParam(1,$bind);
}
}
if($stmt->execute()) {
while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
$this->result[] = $row;
}
return $this->result;
} else {
throw new Exception("L63: Error on dbmanage::query execution.");
}
} catch ( Exception $e ) {
error_log("Error on query method: ".$e->getMessage());
}
This line here $stmt->bindParam($t,$bind[$i]); is taking the bind array and applying a number placeholder to the binding, in affect it would be the same as typing
$stmt->bindParam(1,$bind[0]);
$stmt->bindParam(2,$bind[1]);
$stmt->bindParam(3,$bind[2]);
Where $bind is an array of your form input. Also, make sure you sanitize everything. Good luck