Can parameterized statement stop all SQL injection?

Question

If yes, why are there still so many successful SQL injections? Just because some developers are too dumb to use parameterized statements?

Answer 1

Can parameterized statement stop all SQL injection?

Yes, as long as your database driver offers a placeholder for the every possible SQL literal. Most prepared statement drivers don't. Say, you'd never find a placeholder for a field name or for an array of values. Which will make a developer to fall back into tailoring a query by hand, using concatenation and manual formatting. With predicted outcome.

That's why I made my Mysql wrapper for PHP that supports most of literals that can be added to the query dynamically, including arrays and identifiers.

If yes, why are there still so many successful SQL injections? Just because some developers are too dumb to use parameterized statements?

As you can see, in reality it's just impossible to have all your queries parameterized, even if you're not dumb.