Placeholders are hugely important!  The un-quoted question marks in the query string represent, in effect, variables that are consumed by the query when it runs.   Each question mark corresponds left-to-right with an entry in an array of values that is separately provided.   (There must be exactly enough.)   The values, therefore, are not “part of the SQL string” and so cannot be used to corrupt it ... thereby neatly avoiding the Bobby Tables problem.