Does using preparedStatement mean there will not be any SQL Injection?

Question

I have read that to prevent SQL Injection one must use PreparedStatement.
Does that mean if i am using perparedStatement then no one can perform SQL Injection in any of my p

Answer 1

Short answer: yes, if used properly.

However, this does not mean that there can't be bugs in the JDBC driver, opening up for SQL injection. When I looked into this for a company I worked at, I found that there was indeed an SQL injection bug in one of the JDBC drivers we used (PostgreSQL). This is some years ago, and the bug was fixed.

Although I don't remember the specifics, I recall looking at the source code for a JDBC implementation, and seeing that it was implemented with string concatenation.

I would expect this to be rare, though, and my advice would be to trust the implementation and use PreparedStatements properly.