Do prepare statements secure your database?

Question

I know that this question may be closed by some of you, but my question came up from you and your answers. I am reading the past two hours questions and answers for SQL Inje

Answer 1

Prepared statements don't. Bound parameters secure the statement (not the database as a whole) so long as all your untrusted data is passed via a parameter rather than being interpolated into the statement. When people use prepared statements, they almost always use bound parameters too, so the two names are often conflated.

1. Prepare statement
2. Run statement with variables as additional arguments

mysql_real_escape_string almost always does the job, but since it adds additional steps to the process, it is more prone to human error.

1. Escape each variable
2. Concatenate variables into SQL statement
3. Run statement