SQL injection: when user has the chance to input something that could be part of the sql statement
For example:
String query = "INSERT INTO students VALUES(‘" + user + "‘)"
when user input "Robert’); DROP TABLE students; –" as the input, it causes SQL injection
How prepared statement prevents this?
String query = "INSERT INTO students VALUES(‘" + ":name" + "‘)"
parameters.addValue("name", user);
=> when user input again "Robert’); DROP TABLE students; –", the input string is precompiled on the driver as literal values and I guess it may be casted like:
CAST(‘Robert’); DROP TABLE students; –‘ AS varchar(30))
So at the end, the string will be literally inserted as the name to the table.
http://blog.linguiming.com/index.php/2018/01/10/why-prepared-statement-avoids-sql-injection/