Okay, I just goofed. No, I did not find any flaw in OLS. (Sorry.)
For starters, it looks like my PDO bindParam syntax (above) was wrong. Instead of . . .
$stmt->bindParam(':first_name' => $first_name);
...it should be...
$stmt->bindParam(':first_name', $first_name);
But in any case, I got...