Yep! Minor nitpick: prepared statements aren’t the important property here; driver/protocol-level separation of code and data is. Even without using a prepared statement, if you run the parametrized query “select col from table where x = ?” and pass “foo” for the ? parameter, injection isn’t possible. The query is sent (and parsed and executed) separately from the parameter value.