Not quite. If you build up a string yourself, using a user-supplied value abc, you might end up with, say: update mytable set mystr='abc'; which is OK. But suppose the string the user supplies, instead of abc, is: abc'; drop mytable; Then you're in trouble. You avoid this by using a prepared statement like this: update mytable set mystr=?; Note the question-mark. Then you bind the user's value to that statement, and it doesn't matter what string the user gives you, it ALL goes into the database. So it isn't just another way of doing the same thing.