From what do sql parameters protect you?

Question

Parameters are used to protect you from malicious user input.

But if the parameter expects a string, is it possible to write input that will be interpreted as sql, s

Answer 1

Nothing you input as a parameter via a BindWhatever() call can ever be executed as SQL.

The SQL has already been parsed and evaluated before you bind ht evariable data so its simply impossable for this data to get mistaken for SQL.

Of course someone could still pass you some JavaScript when the database will faithfully store and possibly serve up for execution on someone elses browser!

So you still need to rid your input (or at least escape) any ({[]})\ type characters;