Can parameterized statement stop all SQL injection?

Question

If yes, why are there still so many successful SQL injections? Just because some developers are too dumb to use parameterized statements?

Answer 1

Yes, the use of prepared statements stops all SQL injections, at least in theory. In practice, parameterized statements may not be real prepared statements, e.g. PDO in PHP emulates them by default so it's open to an edge case attack.

If you're using real prepared statements, everything is safe. Well, at least as long as you don't concatenate unsafe SQL into your query as reaction to not being able to prepare table names for example.

If yes, why are there still so many successful SQL injections? Just because some developers are too dumb to use parameterized statements?

Yes, education is the main point here, and legacy code bases. Many tutorials use escaping and those can't be easily removed from the web, unfortunately.