So, I have a few files that uses XF's framework. They directly get data from the POST or GET globals. If running a MySQL query, are injections automatically prevented or do I need to use a prepared statement? If the latter, does XenForo have any practice that should be used for this?
$userId = $_GET['user'];
$query = $db->fetchRow(' SELECT * FROM xf_user WHERE user_id = ?, $userId);