php - PDO, Prepared statements and SQL-Injection again -

after reading several articles pdo , mysqli prepared statements, read tens of questions concerning prepared statements , sql injection on stackoverflow.com , people saying correct use of prepared statements there's no need anymore escape entries users, think still worried having security concerns.

1st question: if still sanitize entries using reg-exp , escaping before using them in prepared statements, i'm over-taking it?

2nd question: if prepared statements thing doing job concerning sql-injection -from people comments , answers- why there still compromised databases , more , more exposed data credit cards numbers , passwords, hacked accounts "big" , well-known websites? mean prepared statement alone not immune, or it's totally different topic?

if still sanitize entries using reg-exp , escaping before using them in prepared statements, i'm over-taking it?

• if removing characters special meaning in sql because have special meaning in sql, that's waste (and leads storing ms. o'donnell's surname incorrectly)
• if escaping characters, double encoding, terrible you'll end (for example) sending emails starting dear ms. o\'donnell,.
• if making sure date sensible date, that's sensible protection of data integrity.

if prepared statements thing doing job concerning sql-injection -from people comments , answers- why there still compromised databases , more , more exposed data credit cards numbers , passwords, hacked accounts "big" , well-known websites? mean prepared statement alone not immune, or it's totally different topic?

because:

• not uses prepared statements
• not uses them uses them correctly
• databases can attacked through other vectors (such remote code execution vulnerability in web server or brute force attacks on admin user's ssh account).