Nope because it doesnt neccesarily turn it into a sql statement that is sent
Thats not how these things work
We pass to the vendors client library an address (more or less) saying “get the data from here with this type and this length”
What they do with it in their SDK is up to them but I doubt they turn it into a sql statement since that would mean they too would be vulnerable to nicely crafted sql injection attacks
At least the vendor SDK’s I’ve worked with that do this certainly dont do that
It is now a two-step update. The first step passes up the prepared statement construct without the data. The second step sends up the data and says use that construct I previously sent. This way it is slower, but more secure.