Does using preparedStatement mean there will not be any SQL Injection?

Question

I have read that to prevent SQL Injection one must use PreparedStatement.
Does that mean if i am using perparedStatement then no one can perform SQL Injection in any of my p

Answer 1

Although Prepared Statements helps in defending against SQL Injection, there are possibilities of SQL Injection attacks through inappropriate usage of Prepared Statements.

The example below explains such a scenario where the input variables are passed directly into the Prepared Statement and thereby paving way for SQL Injection attacks.

String strUserName = request.getParameter("Txt_UserName"); 
PreparedStatement prepStmt = con.prepareStatement("SELECT * FROM user WHERE userId = '+strUserName+'");

prepared statement can be vulnerable to SQL injection if it is not done properly.