Notice that the placeholders are not enclosed in quotes.   ("?" is a literal string consisting of one question-mark.)

The database driver will recognize that these are bound parameters and will insist that the execute call (etc...) must have the corresponding number of parameter-values supplied.

Nice thing about parameters is that you only have to prepare the query once.