Just a stupid question: I know very well how to prevent MySQL Injection using PDO and MySQLi, but Can I prevent it if I just do not allow symbols in the forms?
I mean: If I use something like:
<input name="txt_user" id="txt_user" pattern="[a-zA-Z0-9-]+">
No. There is nothing preventing the user from editing the HTML of the page and removing that attribute.
Validation should always be done on the server side. See also